MCSG: Authentication issuesΒΆ

Title:MCSG: Authentication issues
Author:Douglas O’Leary <dkoleary@olearycomputers.com>
Description:MCSG: Authentication issues
Date created:06/2005
Date updated:07/2006
Disclaimer:Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me...

Clusters must have a high level method of communicating back and forth. HP, in its infinite wisdom, decided the best way to do this was to enable a root level trust relationship between all the nodes in a cluster. Anybody with a modicum of security training usually says something to the effect of “Glurk!” when presented with that.

To satisfy us paranoid security types, HP gave us the ability to list all cluster nodes in a special file which circumvents the requirement for root level trusted hosts. That file is /etc/cmcluster/cmclnodelist

The biggest disadvantage to disabling the root level trust relationship involves the necessity of moving run/stop scripts hither & yon. ftp, for instance, strips the executable bit off any files transferred. So, the admin will have to go to each node and reset the executable bit to keep failover for falling over - so to speak.

One option is to get ssh and scopy and figure out how to script it.

Another option is to create a perl script that will securely copy files from specific directories, to specific directories. I personally like the idea of the perl script because it’s a lot more flexible. You can, for instance, have the script only copy the files to the specific nodes that are affected by the package and make backup copies of any files.

If/when I get a chance to write that particular script, it’ll be posted here.