(1) allows a group of users get access in an cluster of machines, once they have logged in from any single machine in the cluster.
(2) setup PBS system where users can access all the cpu resources seamlessly from any node that they login.
Procedures:
1. Put all nodes and alias into /etc/hosts on both remote server and host machine:
127.0.0.1 hostname.example.com localhost
130.102.72.43 macondo04.eait.uq.edu.au macondo04
130.102.72.42 macondo03.eait.uq.edu.au macondo03
130.102.72.41 macondo02.eait.uq.edu.au macondo02
130.102.72.40 macondo01.eait.uq.edu.au macondo01
2. Put all trusted nodes into /etc/hosts.equiv of the remote server:130.102.72.40 #ip address is the most important one 130.102.72.41 130.102.72.42 130.102.72.43This is one of the most important part for hostbasedauthentication. one should carefully check the validity of /etc/hosts.equiv.# the alias seems not very useful for hostbased ssh, however, it is quite important to allow accounts in openldap to execute jobs.10.33.20.120macondo01 macondo03 macondo04 macondo01.eait.uq.edu.au macondo02.eait.uq.edu.au macondo03.eait.uq.edu.au macondo04.eait.uq.edu.au
3. configure /etc/ssh/sshd_config of the remote server as follows:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication yes #done by chenming
# similar for protocol version 2
HostbasedAuthentication yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
The most important change for this section is to add:
RhostsRSAAuthentication yes
HostbasedAuthentication yes
4. In the remote server (macondo04 in this example), store the rsa public key of the host machine by executing: (this is one of the most important part for the configureation, as all the machines in the /etc/ssh/ssh_known_hosts will obtain the privilliage to visit the host without inputting the password)ssh-keyscan -t rsa macondo01 >> /etc/ssh/ssh_known_hostsafter that, one would see the /etc/ssh/ssh_known_hosts on the remote server (macondo04 in this example), looking like the follows:ssh-keyscan -t rsa macondo02 >> /etc/ssh/ssh_known_hosts
ssh-keyscan -t rsa macondo03 >> /etc/ssh/ssh_known_hosts
macondo01 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS9bpDVmAgB4SEljkS2zxxY macondo02 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC49CqXF macondo03 ssh-rsa AAAB3NzaC1yc2EAAAADAQABAAABAQC9Nre7E2EUmWx/xso4MYCTPXdCyiad4q
macondo01,macondo01.eait.uq.edu.au,130.102.72.40 ssh-rsa AAAAB3NzaC1yc2EAAAADAQ macondo02,macondo02.eait.uq.edu.au,130.102.72.41 ssh-rsa AAAAB3NzaC1yc2EAAAADA macondo03,macondo03.eait.uq.edu.au,130.102.72.42 ssh-rsa AAAB3NzaC1yc2EAAAADAQAIt is tested that if the ip address is not included in ssh_known_hosts, host-based authentication may fail.
5. Don't forget restart ssh service after changing the configuration, and add ssh service enabled on boot:
sudo service ssh restart sudo update-rc.d ssh defaults
6. In the host machine, change /etc/ssh/ssh_config as follows:
Host *
HostbasedAuthentication yes
PreferredAuthentications hostbased,publickey,keyboard-interactive,password
EnableSSHKeysign yes
SendEnv LANG LC_*
HashKnownHosts yes
Now one should be able to ssh from host machine to remote server without inputing any command. If it is not working still, one can use
ssh -vvvv abc@macondo01
to debug the host machine, or use:/usr/sbin/sshd -ddd
to debug the remote server.Appendix:
SSH from A to C via B
# hostA:~/.ssh/config (see man 5 ssh_config for details)
Host hostC
ProxyCommand ssh hostB nc %h %p # or netcat or whatever you have on hostB
hostA:~$ ssh hostC # this will automatically tunnel through ssh hostB
http://superuser.com/questions/107679/forward-ssh-traffic-through-a-middle-machine
Reference:
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
http://users.telenet.be/mydotcom/howto/linux/sshpasswordless.htm
No comments:
Post a Comment