On Tue, 25 May 2021 14:09:54 +0200 "Loris Bennett" <loris.benn...@fu-berlin.de> wrote:
> to work with pam_slurm_adopt but without any SSH keys. My assumption > was that MUNGE takes care of the authentication, since users' jobs > start on nodes with the need for keys. > > Can someone confirm that this expectation is wrong and, if possible, > why the analogy with jobs is incorrect? sshd uses PAM for authentication purposes only for the methods "password" and "challenge-response". The remaining involvement of PAM is limited to the "account" and "session" facilities (the latter of which pam_slurm_adopt is associated with). Thus, if not using "password" or "challenge-response" authentication in sshd, some other authentication method has to be used (by sshd) which cannot possibly rely on PAM. On Tue, 25 May 2021 17:31:42 +0100 Tina Friedrich <tina.friedr...@it.ox.ac.uk> wrote: > ...I really didn't want to wade in on this, but why not set up host > based ssh? It's not exactly as if passphraseless keys give better > security? Imho it's worse. With hostbased-authentication you do limit from where which nodes of the cluster can be accessed (and this will usually be restricted to "inside the cluster"). With passwordless key-pairs, in contrast, passwordless access to the cluster from outside is possible as soon as a generated private key is taken outside. Best regards, Max
