Secure clustering: kerberos issues

Hi. I've set up a secure cluster, but now I'm facing some issues about
kerberos 5 / AFS and ssh: simply, ticket/token forwarding with
passwordless login doesn't work... so I'm looking for a different solution.

I have a central server A and 8 clients A1 .. A8. A is on a public ip
and A? are on a private network, unreachable from outside the network.
I'd like to use ssh for parallel calculus but since it doesn't work,
would you enable kerberized versions of rlogin, rsh, telnet and rcp?
Anyway, those applications are secure? Or, in other words, are the
password sent in some crypted way or better they use directly kerberos
authentication?


--
Sensei <mailto:senseiwa@tin.it>

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)

Sensei <noone@nowhere.org> wrote in message news:<2p3t1dFg7v8hU1@uni-berlin.de>...
> Hi. I've set up a secure cluster, but now I'm facing some issues about
> kerberos 5 / AFS and ssh: simply, ticket/token forwarding with
> passwordless login doesn't work... so I'm looking for a different solution.
>
> I have a central server A and 8 clients A1 .. A8. A is on a public ip
> and A? are on a private network, unreachable from outside the network.
> I'd like to use ssh for parallel calculus but since it doesn't work,
> would you enable kerberized versions of rlogin, rsh, telnet and rcp?
> Anyway, those applications are secure? Or, in other words, are the
> password sent in some crypted way or better they use directly kerberos
> authentication?

Your present setup and your needs are somewhat vague at my end -- I'm
cluster challenged ...

It sounds like you want secure, remote access to the cluster.
Especially if you know where the remote access will be from, I think
you need to look at VPN -- it's not restricted to use across the
internet ;-)

You might look at this (dated) article where VPN is used to
connect/combine two clusters.
http://www.linuxjournal.com/article.php?sid=6142

Googling showed a number of setups using VPN for remotely
combining/accessing clusters -- all very specific, so you should look
for yourself.

Kerborizng a setup/app on your own is "challenging" and time
consuming. If ssh doesn't give you what you need then Kerborized
versions of the others won't either. They all work at the app level
-- the nice thing about VPN is that it connects _networks_ securely
and allows you to use whatever apps you need.

Google provides:
52,100 English pages for
linux vpn cluster

7,240 English pages for
linux vpn parallel cluster

Refine as needed ...

hth,
prg
email above disabled

P Gentry wrote:
> It sounds like you want secure, remote access to the cluster.
> Especially if you know where the remote access will be from, I think
> you need to look at VPN -- it's not restricted to use across the
> internet ;-)

As said, the clients are on a VPN.

> Kerborizng a setup/app on your own is "challenging" and time
> consuming. If ssh doesn't give you what you need then Kerborized
> versions of the others won't either. They all work at the app level
> -- the nice thing about VPN is that it connects _networks_ securely
> and allows you to use whatever apps you need.

Yes, but my question was: would you use telnet or rsh? Kerberos gives in
the standard installation the kerberized replacement for telnet, rsh,
rlogin...

Moreover, I have to gain AFS tokens, and I do it with
pam_openafs_session. Would it work with rlogin/rsh?

--
Sensei <mailto:senseiwa@tin.it>

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)

Sensei <noone@nowhere.org> wrote in message news:<2p8dupFh1pifU1@uni-berlin.de>...
> P Gentry wrote:
> > It sounds like you want secure, remote access to the cluster.
> > Especially if you know where the remote access will be from, I think
> > you need to look at VPN -- it's not restricted to use across the
> > internet ;-)
>
> As said, the clients are on a VPN.

(Open)SSH and (Open)VPN are different beasts completely though with
some similarities (both use ssl).

> > Kerborizng a setup/app on your own is "challenging" and time
> > consuming. If ssh doesn't give you what you need then Kerborized
> > versions of the others won't either. They all work at the app level
> > -- the nice thing about VPN is that it connects _networks_ securely
> > and allows you to use whatever apps you need.
>
> Yes, but my question was: would you use telnet or rsh? Kerberos gives in
> the standard installation the kerberized replacement for telnet, rsh,
> rlogin...
>
> Moreover, I have to gain AFS tokens, and I do it with
> pam_openafs_session. Would it work with rlogin/rsh?

Sorry ... I didn't fully appreciate your setup/needs in first reply --
duh ;-)
I would first suggest you check with :-)
comp.protocols.kereros
http://groups.google.com/groups?hl=e...ocols.kerberos
This is where X-posting is OK -- much preferred to multi-posting ...

It's been quite a while since I played with this stuff, but
ssh/kerberos/afs _should_ work. In the past couple of years people
have sorted out the problems much better, and I _think_ you can find
the correct means to get you going.

But ... (as always)

If you need to get up quickly and feel the kerberized rlogin/rsh will
provide for your needs, it may be the way to go -- at least to start.
If you or only a small number of people require access it very well
could be sufficient. If the number of people and other authentication
requirements grow you _probably_ want to consider using a ssh remote
access.

There are some incompatibilities and configs that must be worked out.
Since I'm so rusty as to get you into more trouble than not, I suggest
this Google web search:
"kerberos 5" + AFS ssh ticket token forward
"kerberos 5" + AFS krsh ticket token forward
"kerberos 5" + AFS krsh krlogin

Also check out MIT Kerberos, eg,
http://www.cmf.nrl.navy.mil/CCS/peop...q.html#v5vsafs
http://www.cmf.nrl.navy.mil/CCS/peop...q.html#kerbafs

Most all seem useful to some degree -- much will depend on your
specific software/net setup. It _is_ a pain to get these working, but
is worth the trouble.

Using kerberized rlogin/rsh used to be used because getting the
ssh/kerberos/afs tickets and tokens authenticated and passed around
correctly (and "transparently") was _very_ problematic -- think today
there are reasonable ways to get it working.

Your best bet is to get on one of the mailing lists -- OpenAFS ? --
with some specifics. You will need some concrete, hands-on experience
from someone who can diagnose your setup -- there are innumerable ways
of getting it wrong :-(

Ah, and almost forgot -- we used to get bitten when first setting up
because of inadequate ntp/clock updating -- so many things to keep an
eye on ... ;-)

good luck,
prg
email above disabled

P Gentry wrote:
> Sorry ... I didn't fully appreciate your setup/needs in first reply --
> duh ;-)
> I would first suggest you check with :-)
> comp.protocols.kereros
> http://groups.google.com/groups?hl=e...ocols.kerberos
> This is where X-posting is OK -- much preferred to multi-posting ...

Already did. Seems that ssh is a pretty ugly beast...

> It's been quite a while since I played with this stuff, but
> ssh/kerberos/afs _should_ work. In the past couple of years people
> have sorted out the problems much better, and I _think_ you can find
> the correct means to get you going.

It used to work... now it's a pain :(

> If you need to get up quickly and feel the kerberized rlogin/rsh will
> provide for your needs, it may be the way to go -- at least to start.
> If you or only a small number of people require access it very well
> could be sufficient. If the number of people and other authentication
> requirements grow you _probably_ want to consider using a ssh remote
> access.


I have few people using the cluster. Should rlogin/rsh fit my needs?
And, will it gain tickets and tokens?

> Using kerberized rlogin/rsh used to be used because getting the
> ssh/kerberos/afs tickets and tokens authenticated and passed around
> correctly (and "transparently") was _very_ problematic -- think today
> there are reasonable ways to get it working.

I will also try the rsh way!

> Your best bet is to get on one of the mailing lists -- OpenAFS ? --
> with some specifics. You will need some concrete, hands-on experience
> from someone who can diagnose your setup -- there are innumerable ways
> of getting it wrong :-(

I can setup kerberos + kerberized openafs + openldap if few hours. The
problem still is to make many clients go from one to another via ssh
without any problem. With debian stable is really straightforward, the
only thing you need is ssh-krb5 --- but with other clients, or better
with something newer than a 2-years-old-distro... well... I wouldn't
post here if it were simple :)

> Ah, and almost forgot -- we used to get bitten when first setting up
> because of inadequate ntp/clock updating -- so many things to keep an
> eye on ... ;-)

We have our time servers for this issues :)
--
Sensei <mailto:senseiwa@tin.it>

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)