So I got what I want working with RSA keys (and making sure to put the public rsa key in ~/.ssh/authorized_keys) .
and of course that prolog statment in slurm.conf . What I ended up doing was just created my own separate script analogous to cluter-env to create the rsa keys. I'm trying not to stray too far from the defaults to make upgrades easier. Thanks. On Tue, Oct 16, 2018 at 01:41:15PM -0600, Michael Jennings wrote: > On Tuesday, 16 October 2018, at 09:30:13 (-0400), > Dave Botsch wrote: > > > Hrm... it looks like the default install of OHPC went with DHA keys > > instead: > > > > .ssh]$ cat config > > # Added by Warewulf 2018-10-08 > > Host * > > IdentityFile ~/.ssh/cluster > > StrictHostKeyChecking=no > > $ file cluster > > cluster: PEM DSA private key > > That's not OHPC. That's a (rather unfortunate) part of Warewulf > called `cluster-env`, a tool used to seamlessly make passphrase-less > SSH work within a cluster without admin/user intervention. You can > see the code here: > https://github.com/warewulf/warewulf3/blob/master/cluster/bin/cluster-env > > If you install the warewulf-cluster RPM, a script installed as > /etc/profile.d/cluster-env.sh will run /usr/bin/cluster-env on each > login (for sh/ksh/bash users...and an equivalent script is installed > for csh/tcsh users). See > e.g. > https://github.com/warewulf/warewulf3/blob/master/cluster/etc/cluster-env.sh > for the stub script. > > The above version on GitHub has been updated to use RSA keys instead > of DSA, but the *actually* correct solution, rather than forceably > altering each user's SSH configuration and ~/.ssh/ contents, is to > enable Host-based authentication for SSH in /etc/ssh/sshd_config (or > GSSAPI authentication, or host-based certificates, or any of the other > options available to have machines authenticate themselves so that > users can move between cluster hosts seamlessly and securely). > > When that utility was written, DSA was the "state-of-the-art," and it > unfortunately went untouched for a very long time. The key type > should not have been hard-coded with no way to permit site-specific > configuration, but it was. As I said, though, there are better ways > to accomplish user auth between nodes without passphrases, and I > recommend disabling `cluster-env` and using one of those alternatives > instead. (In fact, it's probably best to remove the entire > warewulf-cluster RPM. wwinit and wwfirstboot are similarly ancient > tools in need of updating/replacement.) > > As for X11 forwarding/authentication, there is no easy/simple answer > to why it won't work. Lots of things need to be in sync for it to > work, including xauth, xhost, $DISPLAY, firewall rules, etc., and > there are numerous opportunities for minor misconfigurations to break > the whole kit-and-kaboodle. To troubleshoot, I recommend examining > the values of $DISPLAY and the results of `xauth list` and `xhost` > under both working and non-working conditions, and see if you can see > a pattern. Also make sure `ssh -Y` is being used all along the way, > not just `ssh -X`. > > Our solution at LANL uses a 130-line PERL script that does proper > NFS-based locking of the user's ~/.Xauthority file, forceably resets > their $DISPLAY to the correct value, and adds the correct entry to > ~/.Xauthority using `xauth add`. Our experience has been that's the > only way to correctly handle all cases. (And no, unfortunately I > can't share it, but it's not a difficult thing to write.) > > Michael > > -- > Michael E. Jennings <m...@lanl.gov> > HPC Systems Team, Los Alamos National Laboratory > Bldg. 03-2327, Rm. 2341 W: +1 (505) 606-0605 > -- ******************************** David William Botsch Programmer/Analyst @CNFComputing bot...@cnf.cornell.edu ********************************
