Setup for OpenSSH

There are two general methods to use. One will not be discussed here fully but rather mentioned in passing, which is that each user gets an empty-passphrase key, which is then copied into their authorized_keys file. We used this for several years, and while it certainly works, it is awfully ugly to manage. Tip: use id_rsa_pbs as the key name so as not to interfere with users who have their own ssh keys set up (for external connections).

Use something like this:

/etc/ssh/ssh_config

Host node*
  IdentityFile ~/.ssh/id_rsa_pbs

Hostbased ssh setup, with torque access control and minor performance tweaks:

On the SSHD Server side (which means everywhere, BUT!!! head node with external logins should have more secure sshd_config):

/etc/ssh/shosts.equiv

headnode.internal.domain
node1.internal.domain
node2.internal.domain
...

/etc/ssh/sshd_config # ON INTERNAL NODES ONLY!

# Safety valve (root)
PubkeyAuthentication            yes
# Main component
HostbasedAuthentication         yes
# /etc/pbs_sshauth with pam_listfile.so (see below)
UsePAM                          yes
# Security measures
IgnoreUserKnownHosts            yes
IgnoreRhosts                    yes
PermitUserEnvironment           no
UseLogin                        no
PermitRootLogin                 without-password
# Reduce latency for MPI
LogLevel                        ERROR
Ciphers                         blowfish-cbc
Compression                     no
Protocol                        2
# You might want to change the following on the head
# node, depending on your external network environment
# and group preferences
ChallengeResponseAuthentication no
PasswordAuthentication          no
KerberosAuthentication          no
GSSAPIAuthentication            no
UseDNS                          no
PrintMotd                       no
PrintLastLog                    no
X11Forwarding                   no
# on head node this really should be yes
StrictModes                     no
# REMOVE / COMMENT OUT SFTP SUBSYSTEM ON COMPUTE NODES
# Subsystem       sftp    /usr/libexec/openssh/sftp-server

/etc/sysconfig/sshd

# Turn off IPV6 addresses
OPTIONS="-4"

/etc/security/access.conf

-:ALL EXCEPT root:ALL

NOTE: The above is involved in the pam_access.so line, which prevents root from getting locked out even when root isn't listed in /etc/pbs_sshauth.

/etc/pam.d/sshd (modified to use pam_listfile.so for access control)

#%PAM-1.0
# obviously on compute nodes only
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
account    sufficient   pam_access.so
account    required     pam_listfile.so file=/etc/pbs_sshauth onerr=fail sense=allow item=user
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
#
# original, for sake of comparison
#auth       required     pam_stack.so service=system-auth
#auth       required     pam_nologin.so
#account    required     pam_stack.so service=system-auth
#password   required     pam_stack.so service=system-auth
#session    required     pam_stack.so service=system-auth

$PBS_DIR/mom_priv/prologue AND $PBS_DIR/mom_priv/prologue.parallel

#!/bin/sh
# obviously on compute nodes only
/bin/rm -f /etc/pbs_sshauth ; echo $2 > /etc/pbs_sshauth ; exit 0

$PBS_DIR/mom_priv/epilogue AND $PBS_DIR/mom_priv/epilogue.parallel

#!/bin/sh
# obviously on compute nodes only
/bin/rm -f /etc/pbs_sshauth ; echo "" > /etc/pbs_sshauth ; exit 0

On the SSH Client side (everywhere):

/etc/ssh/ssh_config

FallBackToRsh                   no
EnableSSHKeysign                yes
Host    node*,headnode.internal.domain,headnode
BatchMode                       yes
ConnectionAttempts              5
ForwardX11                      no
HostbasedAuthentication         yes
PreferredAuthentications        hostbased
CheckHostIP                     no
UserKnownHostsFile              /dev/null
Ciphers                         blowfish-cbc
Compression                     no

Maintenance:

shosts.equiv needs to be updated when new nodes are added. You could use netgroups for this, either NIS or a netgroup file (not tested by myself, but I've read others doing so on Linux). Probably you want to add something at bootup to clear out /etc/pbs_sshauth. Cipher/compression tweaks as improvements come into existence, for performance gains.

NOTE: Entries are necessary for all users in /etc/shadow on the compute node. They can (and probably ought) to be locked (!! in the password field).

NOTE: If you have "UseDNS no" in your server config, make sure your entries in /etc/ssh/shosts.equiv are IP addresses, not hostnames.

NOTE: For root to completely ignore the PBS authentication scheming we have configured, you'll want to set up passphraseless keys just for root and distributed the private and public keys, and authorized_keys file containing said key, to all compute nodes and to the head node.


	Learn More About Us Product Information Access Portal Demo Highlighted Customers Training Documentation News Download Moab Cluster Suite ·Customer Download ·Eval Download ·Access Portal Demo Moab Grid Suite ·Customer Download ·Eval Download Maui TORQUE Purchase Products Support Other Services Authorized Resellers Support Customer Support Purchase Support Evaluation Support Documentation Mailing List Contact Us Product Information Sales Technical Support Free Eval Support Partner Press
Home Products Services Resources Partners Press News Company	Setup for OpenSSH Setup for OpenSSH There are two general methods to use. One will not be discussed here fully but rather mentioned in passing, which is that each user gets an empty-passphrase key, which is then copied into their authorized_keys file. We used this for several years, and while it certainly works, it is awfully ugly to manage. Tip: use id_rsa_pbs as the key name so as not to interfere with users who have their own ssh keys set up (for external connections). Use something like this: /etc/ssh/ssh_config Host node* IdentityFile ~/.ssh/id_rsa_pbs Hostbased ssh setup, with torque access control and minor performance tweaks: On the SSHD Server side (which means everywhere, BUT!!! head node with external logins should have more secure sshd_config): /etc/ssh/shosts.equiv headnode.internal.domain node1.internal.domain node2.internal.domain ... /etc/ssh/sshd_config # ON INTERNAL NODES ONLY! # Safety valve (root) PubkeyAuthentication yes # Main component HostbasedAuthentication yes # /etc/pbs_sshauth with pam_listfile.so (see below) UsePAM yes # Security measures IgnoreUserKnownHosts yes IgnoreRhosts yes PermitUserEnvironment no UseLogin no PermitRootLogin without-password # Reduce latency for MPI LogLevel ERROR Ciphers blowfish-cbc Compression no Protocol 2 # You might want to change the following on the head # node, depending on your external network environment # and group preferences ChallengeResponseAuthentication no PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication no UseDNS no PrintMotd no PrintLastLog no X11Forwarding no # on head node this really should be yes StrictModes no # REMOVE / COMMENT OUT SFTP SUBSYSTEM ON COMPUTE NODES # Subsystem sftp /usr/libexec/openssh/sftp-server /etc/sysconfig/sshd # Turn off IPV6 addresses OPTIONS="-4" /etc/security/access.conf -:ALL EXCEPT root:ALL NOTE: The above is involved in the pam_access.so line, which prevents root from getting locked out even when root isn't listed in /etc/pbs_sshauth. /etc/pam.d/sshd (modified to use pam_listfile.so for access control) #%PAM-1.0 # obviously on compute nodes only auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth account sufficient pam_access.so account required pam_listfile.so file=/etc/pbs_sshauth onerr=fail sense=allow item=user password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth # # original, for sake of comparison #auth required pam_stack.so service=system-auth #auth required pam_nologin.so #account required pam_stack.so service=system-auth #password required pam_stack.so service=system-auth #session required pam_stack.so service=system-auth $PBS_DIR/mom_priv/prologue AND $PBS_DIR/mom_priv/prologue.parallel #!/bin/sh # obviously on compute nodes only /bin/rm -f /etc/pbs_sshauth ; echo $2 > /etc/pbs_sshauth ; exit 0 $PBS_DIR/mom_priv/epilogue AND $PBS_DIR/mom_priv/epilogue.parallel #!/bin/sh # obviously on compute nodes only /bin/rm -f /etc/pbs_sshauth ; echo "" > /etc/pbs_sshauth ; exit 0 On the SSH Client side (everywhere): /etc/ssh/ssh_config FallBackToRsh no EnableSSHKeysign yes Host node,headnode.internal.domain,headnode BatchMode yes ConnectionAttempts 5 ForwardX11 no HostbasedAuthentication yes PreferredAuthentications hostbased CheckHostIP no UserKnownHostsFile /dev/null Ciphers blowfish-cbc Compression no Maintenance:* shosts.equiv needs to be updated when new nodes are added. You could use netgroups for this, either NIS or a netgroup file (not tested by myself, but I've read others doing so on Linux). Probably you want to add something at bootup to clear out /etc/pbs_sshauth. Cipher/compression tweaks as improvements come into existence, for performance gains. NOTE: Entries are necessary for all users in /etc/shadow on the compute node. They can (and probably ought) to be locked (!! in the password field). NOTE: If you have "UseDNS no" in your server config, make sure your entries in `/etc/ssh/shosts.equiv` are IP addresses, not hostnames. NOTE: For root to completely ignore the PBS authentication scheming we have configured, you'll want to set up passphraseless keys just for root and distributed the private and public keys, and authorized_keys file containing said key, to all compute nodes and to the head node.
© 2001-2008 Cluster Resources, Incorporated