Authentication

In LSF, authentication can come by means of external authentication using the LSF eauth executable, or by means of identification daemons (identd). External authentication provides the highest level of security and is the default method of authentication in LSF. It is installed in the directory specified by the LSF_SERVERDIR parameter in the lsf.conf file.

By default, eauth uses an internal key to encrypt authentication data, but you may use a customized external key to improve security. You can also write your own eauth executable to meet the security requirements of your cluster, using the default eauth as a demonstration of the eauth protocol.

Update the eauth executable file

If you are using LSF, Version 10.1 Fix Packs 2 to 9, you can also replace the default eauth executable file with the eauth.cve executable file, which automatically generates a site-specific internal key by using 128-bit AES encryption. Rename or move the original eauth executable file, then rename the eauth.cve executable file to eauth.

In Windows hosts, replace the eauth.exe executable file with eauth.cve.exe

The new eauth command rejects LSF requests from hosts with a UTC time offset of more than five minutes compared to the LSF server host.

If you are using LSF, Version 10.1 Fix Pack 10 and later, you do not need to replace the eauth executable file because it already includes the features in the eauth.cve file. In addition, LSF, Version 10.1 Fix Pack 10 and later no longer allows root execution privileges for jobs from local and remote hosts. Any actions that were performed with root privileges must instead be performed as the LSF administrator. For more details on temporarily enabling root privileges, refer to Temporarily enable root privileges.

If you are using the new eauth command with the LSF multicluster capability in LSF clusters with the following LSF features, you must configure the same LSF_EAUTH_KEY value in the lsf.sudoers file on all related clusters:

  • Interactive tasks on remote hosts run by using the lsrun -m or lsgrun -m commands
  • LSF data managers
Note: To use the lsf.sudoers file, you must enable the setuid bit for the LSF administration commands. Run the hostsetup --setuid command option on the LSF management and candidate hosts. Since this allows LSF administration commands to run with root privileges, do not enable the setuid bit if you do not want these LSF commands to run with root privileges.

The hostsetup --setuid command enables the setuid bit for the following LSF executable files: badmin, lsadmin, egosh, utmpreg, swtbl_api, ntbl_api, lstbl_nid, and swtbl_poe.

If you are using IBM® Spectrum LSF RTM, you must also update to the corresponding new eauth executable file for IBM Spectrum LSF RTM.

Note: You must replace the executable file on all LSF hosts in the LSF cluster to work together. Otherwise, LSF commands that run on the hosts without the new eauth executable file will encounter authentication problems.