[torqueusers] How to rip out user validation?

Lloyd Brown lloyd_brown at byu.edu
Wed Jun 23 11:16:40 MDT 2010


On 6/23/10 10:58 AM, matthew devney wrote:
> Yes.  That would make my job as a cluster admin a lot easier and have
> no security implications whatsoever.
>
> Clusters are expensive and people who don't get to use one, usually
> don't have access to one.  Only 5 people have access to my clusters,
> and they all know what they're doing.  I feel sure my setup is not
> uncommon.
>   

Seriously?  You're really prepared to give up that level of
accountability?  I mean what happens if one of them has a weak password,
and it gets compromised?  Are you absolutely sure that they're not
sharing passwords around?  And what about accidents?  Maybe they know
what they're doing in general, but are they immune from making
mistakes?  I feel like I know what I'm doing, but just yesterday, I shut
down our Moab scheduler briefly, on the production scheduler, simply
because I was in the wrong terminal window.  Since this kind of lack of
user authentication would allow users to run things as root on your
compute nodes, I sincerely hope that the compute nodes don't have SSH
keys that will let them go anywhere else as root.

Long story short, if you're willing to rip out this kind of security
check, you might as well give your clusters root password to the users.

I sincerely hope you're not working with any regulated data, like HIPAA
stuff.

-- 


Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu




More information about the torqueusers mailing list