[gpfsug-discuss] ssh authentication on CES nodes

Mon Jul 29 07:30:24 BST 2024

Hi Jonathan,

Yes, we have dedicated personal admins accounts. But they're also centrally configured on AD. The problem stays the same.

We don't have an EMS for those nodes. Our CES nodes are in a storage-less cluster (the storage is accessed via remote-cluster mount) and we install them via our puppet-based infrastructure.

Thanks for the suggestion of using pam_krb5. I'm not a big fan since RHEL discontinued it in favour of SSSD, but I'll check it out.

Regards,
Ivano

__________________________________________
Paul Scherrer Institut
Ivano Talamo
OBBA/230
Forschungsstrasse 111
5232 Villigen PSI
Schweiz

Phone: +41 56 310 47 11
E-Mail: ivano.talamo at psi.ch

Available: Monday - Wednesday

________________________________
From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Jonathan Buzzard <jonathan.buzzard at strath.ac.uk>
Sent: 23 July 2024 13:29
To: gpfsug-discuss at gpfsug.org <gpfsug-discuss at gpfsug.org>; gpfsug-discuss at spectrumscale.org <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] ssh authentication on CES nodes

On Tue, 2024-07-23 at 10:11 +0000, Paul Ward wrote:
> Hi Ivano,
>
> I am curious about this line of your message:
> “For us that's quite annoying, since we can't login with our
> personal/central accounts and then sudo.”
>
> We only allow administrator access to the GPFS cluster via the EMS
> nodes. We will be restricting them to MFA based access.
> We then navigate to all other nodes from one of them.
>
>

My guess would be that administrators log onto the cluster using their
personal/central accounts and then use sudo to issue administrative
commands. This creates a log of who issued what commands at what time.
Useful when you have more than one administrator and provides a level
of tracking.

Though personally I think using your "personal" everyday account for
this is suboptimal. Best practice would suggest have a separate
personal administrator account. So for example in a previous life my
normal everyday account was njab14 no different than anyone else's
account, but my I had a separate account administrator account was
sjab14. That could do things like sudo had rights in the AD etc. etc.

You can also do things like create groups of users that can log onto
things that normal users cant.

JAB.

--
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20240729/4e2a8617/attachment-0003.htm>