[gpfsug-discuss] ssh authentication on CES nodes

Tue Jul 23 11:11:08 BST 2024

Hi Ivano,

I am curious about this line of your message:
“For us that's quite annoying, since we can't login with our personal/central accounts and then sudo.”

We only allow administrator access to the GPFS cluster via the EMS nodes. We will be restricting them to MFA based access.
We then navigate to all other nodes from one of them.

End users can access an area shared to the HPC cluster via ssh, and we have an internal FTP server mounting various areas via NFS, but no direct ssh access to the whole GPFS cluster.

Kindest regards,
Paul

Paul Ward
TS Infrastructure Architect
Natural History Museum
T: 02079426450
E: p.ward at nhm.ac.uk<mailto:p.ward at nhm.ac.uk>
[cid:image001.png at 01DADCF1.0446AA60]

From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> On Behalf Of Jarsulic, Michael [BSD]
Sent: Monday, July 22, 2024 3:17 PM
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>; gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] ssh authentication on CES nodes

Ivano,

I am running SSSD on the CES nodes (we need it for file authorization for NFS and SMB, but rely on AD for authentication). IBM set this up for us, had no issues doing it, and there were no library conflicts.

--
Mike Jarsulic
Associate Director, Scientific Computing
Center for Research Informatics | Biological Sciences Division
University of Chicago
5454 South Shore Drive, Chicago, IL 60615 | (773) 702-2066

From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org<mailto:gpfsug-discuss-bounces at gpfsug.org>> on behalf of Talamo Ivano Giuseppe <ivano.talamo at psi.ch<mailto:ivano.talamo at psi.ch>>
Date: Monday, July 22, 2024 at 8:55 AM
To: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org> <gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>>
Subject: [EXTERNAL] [gpfsug-discuss] ssh authentication on CES nodes
Dear all, I have a question regarding the CES service, aka protocol nodes. Our CES cluster is configured with the AD authentication and, accordingly to the documentation [1], SSSD should not be running on the CES nodes. For us that's quite annoying,
ZjQcmQRYFpfptBannerStart
External: Use caution with links, attachments, and providing information.
Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/MyIu0v6UfBA57LoN!4d_ODmlK7vdRO65GX_WTdZ3OfENAmlISr9BG6gKN6oPi384swmgkx0NzN8m6yWO08nZU-czK_NGKaSRNTtX3uO27nXLYetWX-fcXozmjTFNW7krLzXtpZD2eFFMkVMHiRpIuzzofs4dqbkJPXQ$>

ZjQcmQRYFpfptBannerEnd
Dear all,

I have a question regarding the CES service, aka protocol nodes.
Our CES cluster is configured with the AD authentication and, accordingly to the documentation [1], SSSD should not be running on the CES nodes. For us that's quite annoying, since we can't login with our personal/central accounts and then sudo.
Neither we can use winbind, since samba-winbind-modules package (that provides the necessary PAM module) conflicts with the gpfs.smb package.
We will probably end up creating one or more local accounts and using ssh keys for access.
But I wonder if someone with a similar problem found a better workaround.

Thanks,
Ivano

[1] https://www.ibm.com/docs/en/storage-scale/5.2.0?topic=authentication-limitations<https://urldefense.com/v3/__https:/www.ibm.com/docs/en/storage-scale/5.2.0?topic=authentication-limitations__;!!MyIu0v6UfBA57LoN!81qFjI1_Bd1tQ1ey7YDQHcce_OlEdsQ90dPVDgCbIFzKNw9JJPDKJ4BtVVdy1qE2Xiq3aE1-6-yht4mLhMrH-RUVMbma6g$>

__________________________________________
Paul Scherrer Institut
Ivano Talamo
OBBA/230
Forschungsstrasse 111
5232 Villigen PSI
Schweiz

Phone: +41 56 310 47 11
E-Mail: ivano.talamo at psi.ch<mailto:ivano.talamo at psi.ch>

Available: Monday - Wednesday

________________________________
“This message was received from outside of the organization. Please pay special attention and practice care when clicking on any links, or providing any information to the sender. Cyber attacks commonly attempt to trick you in to thinking the sender is a reputable individual who you can trust.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20240723/cb7b43c1/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12974 bytes
Desc: image001.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20240723/cb7b43c1/attachment-0003.png>