Configuration to modify external authentication

You can modify external authentication behavior by writing your own eauth executable and by modifying configuration parameters.

The configuration parameters modify various aspects of external authentication behavior by:
  • Increasing security by using an external encryption key (recommended)
  • Specifying a trusted user account under which the eauth executable runs (UNIX and Linux only)
Note: To use the lsf.sudoers file, you must enable the setuid bit for the LSF administration commands. Run the hostsetup --setuid command option on the LSF management and candidate hosts. Since this allows LSF administration commands to run with root privileges, do not enable the setuid bit if you do not want these LSF commands to run with root privileges.

The hostsetup --setuid command enables the setuid bit for the following LSF executable files: badmin, lsadmin, egosh, utmpreg, swtbl_api, ntbl_api, lstbl_nid, and swtbl_poe.

Configuration to modify security


File Parameter and syntax Descriptions
lsf.sudoers LSF_EAUTH_KEY=key
  • The eauth executable file uses the external encryption key that you define to encrypt and decrypt the credentials.
  • The key must contain at least 6 characters and must use only printable characters.
  • For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. You must also configure eauth as setuid to root so that eauth can read the lsf.sudoers file and obtain the value of LSF_EAUTH_KEY.
  • For Windows, you must edit the shared lsf.sudoers file.
LSF_EAUTH_OLDKEY=key
  • Specifies the previous key that eauth used to encrypt and decrypt user authentication data after you specify a new eauth key.
  • Defining this parameter gives LSF administrators time to update the eauth key on each host in the cluster without disrupting authentication operations.
  • All rules that apply to LSF_EAUTH_KEY also apply to LSF_EAUTH_OLDKEY.
  • To use this parameter, you must also define LSF_EAUTH_OLDKEY_EXPIRY.
LSF_EAUTH_OLDKEY_EXPIRY=[[year:][month:]day:]hour:minute
  • Specifies the expiry date and time for the previous eauth key (LSF_EAUTH_OLDKEY), after which the previous key no longer works and only LSF_EAUTH_KEY works.

Configuration to specify the eauth user account

On UNIX hosts, the eauth executable runs under the account of the primary LSF administrator. You can modify this behavior by specifying a different trusted user account. For Windows hosts, you do not need to modify the default behavior because eauth runs under the service account, which is always a trusted, secure account.
File Parameter and syntax Description
lsf.sudoers LSF_EAUTH_USER=user_name
  • UNIX only
  • The eauth executable runs under the account of the specified user rather than the account of the LSF primary administrator.
  • You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name.