Authentication method |
Description |
Configuration |
Behavior
|
External authentication |
- A framework that enables you to integrate LSF with
any third-party authentication product—such as Kerberos or DCE Security Services—to authenticate
users, hosts, and daemons. This feature provides a secure transfer of data within the authentication
data stream between LSF
clients and servers. Using external authentication, you can customize LSF to
meet the security requirements of your site.
|
LSF_AUTH=eauth |
- LSF uses
the default eauth executable located in LSF_SERVERDIR. The
default executable provides an example of how the eauth protocol works. You
should write your own eauth executable to meet the security requirements of
your cluster. For a detailed description of the external authentication feature and how to configure
it, see External authentication.
|
Identification daemon (identd) |
- Authentication using the identd daemon available in the public domain.
|
LSF_AUTH=ident |
- LSF uses
the identd daemon available in the public domain.
- LSF
supports both RFC 931 and RFC 1413 protocols.
|
Privileged ports (setuid) |
- User authentication between LSF
clients and servers on UNIX hosts only. An LSF
command or other executable configured as setuid uses a reserved (privileged)
port number (1-1024) to contact an LSF
server. The LSF server
accepts requests received on a privileged port as coming from the root user and
then runs the LSF
command or other executable using the real user account of the user who issued the command.
|
LSF_AUTH not defined |
- For UNIX hosts only, LSF
clients (API functions) use reserved ports 1-1024 to communicate with LSF
servers.
- The number of user accounts that can connect concurrently to remote hosts is limited by the
number of available privileged ports.
- LSF_AUTH must be deleted or commented out and LSF
commands must be installed as setuid programs owned by
root.
Note: To enable the setuid bit on the LSF
commands, run the hostsetup --setuid command option on the LSF parent
and candidate hosts. Since this allows LSF
administration commands to run with root privileges, do not enable the setuid bit if you do not want
these LSF
commands to run with root privileges. The hostsetup
--setuid command enables the setuid bit for the following LSF
executable files: badmin, lsadmin, egosh,
utmpreg, swtbl_api, ntbl_api,
lstbl_nid, and swtbl_poe.
|
UNIX user and host authentication
The primary LSF
administrator can configure additional authentication for UNIX users and hosts by defining the
parameter LSF_USE_HOSTEQUIV in the lsf.conf file. With
LSF_USE_HOSTEQUIV defined, mbatchd on the parent host and
RES on the remote host call the ruserok(3) function to verify that the
originating host is listed in the /etc/hosts.equiv file and that the host
and user account are listed in the $HOME/.rhosts file. Include the name of
the local host in both files. This additional level of authentication works in conjunction with
eauth, privileged ports (setuid), or identd
authentication.
CAUTION:
Using the /etc/hosts.equiv and $HOME/.rhosts files grants
permission to use the rlogin and rsh commands without
requiring a password.
SSH
SSH is a
network protocol that provides confidentiality and integrity of data
using a secure channel between two networked devices. Use SSH to secure
communication between submission, execution, and display hosts.
A
frequently used option is to submit jobs with SSH X11 forwarding (bsub
-XF), which allows a user to log into an X-Server client,
access the submission host through the client, and run an interactive
X-Window job, all through SSH.
Strict checking protocol in an untrusted environment
Note: LSF_STRICT_CHECKING=ENHANCED is now the default
setting and this section might be removed in a future version of LSF.
To improve security in an untrusted environment, the primary
LSF
administrator can enable the use of a strict checking communications protocol. When you define
LSF_STRICT_CHECKING in
lsf.conf,
LSF
authenticates messages passed between
LSF
daemons and between
LSF
commands and daemons. This type of authentication is
not required in a secure environment,
such as when your cluster is protected by a firewall.
Important: You must shut down the
cluster before adding or deleting the LSF_STRICT_CHECKING parameter.
Authentication failure
If authentication fails (the user’s identity cannot be verified),
LSF
displays the following error message after a user issues an
LSF
command:
User permission denied
This error has several possible causes depending
on the authentication method used.
Authentication method |
Possible cause of failure |
eauth |
- External authentication failed
|
identd |
- The identification daemon is not available on the local or submitting host
|
setuid |
- The LSF
applications are not installed setuid
- The NFS directory is mounted with the nosuid option
|
ruserok |
- The client (local) host is not found in either the /etc/hosts.equiv or the
$HOME/.rhosts file on the parent or remote host
|