[torqueusers] [torquedev] TORQUE authorization security vulnerability
Coyle, James J [ITACD]
jjc at iastate.edu
Tue Aug 9 16:08:15 MDT 2011
I'm glad you are looking into the security issue,
but I don't think that this is much of an issue for the
following cluster setup,
1) which is how I always deploy a cluster, and
2) which I would guess is the common setup for large clusters.
Please let me know if there is a problem with my logic.
- Jim C.
Login node: 1) Firewalled to allow incoming connections only for ssh.
State kept for outgoing connections to allow
replies returning on other ports.
2) Only connections from local IP address: X.Y.m.n
or campus VPN where campus has X.Y network on eth1.
Connects to internal 172.16.x.y network on eth0.
3) Acts as gateway for outgoing connections for compute nodes (e.g. for license servers).
4) Runs Torque server and scheduler.
5) Kept up-to-date on all packages, including kernel.
6) Rebooted to get new kernel or glibc when exploit is announced.
Compute nodes: Single Ethernet connection on 172.16.x.y (no direct outside connection).
Allows passwordless ssh from root or any other user on internal network.
Keep current on all packages.
Rolling reboots between jobs whenever exploits announced.
Filesevers: Also only on internal 172.16.x.y network.
This to me is just treating the cluster like a single machine with a single point
of connection to the campus and not to the whole world. (VPN permits connection from off-campus.)
Since I have hundreds of machines to manage, I don't want them all open
to potential attack, so they only communicate via internal network.
The compute nodes then don't have to waste CPU time running a firewall,
and I am free to allow password-less ssh internally.
>From: torqueusers-bounces at supercluster.org [mailto:torqueusers-
>bounces at supercluster.org] On Behalf Of Chris Samuel
>Sent: Tuesday, August 09, 2011 4:25 PM
>To: torqueusers at supercluster.org
>Subject: Re: [torqueusers] [torquedev] TORQUE authorization security
>On Wed, 10 Aug 2011 07:19:00 AM David Beer wrote:
>> Essentially, TORQUE uses the idea for cluster security that
>> individual machines in the cluster are secure, therefore you can
>> trust root users.
>Phew.. for a while I thought this was an unpatched exploit!
>Thanks for the details David, much appreciated.
>BTW: If you think that's a problem you should try running
>GPFS where root on any node must be able to ssh to any
>other node as root with no password. :-(
> Christopher Samuel - Senior Systems Administrator
> VLSCI - Victorian Life Sciences Computation Initiative
> Email: samuel at unimelb.edu.au Phone: +61 (0)3 903 55545
>torqueusers mailing list
>torqueusers at supercluster.org
More information about the torqueusers