Passwordless authentication in openpbs 20

I am trying to install openPBS 20. I read documentation and I stuck in:
Installation & Upgrade Guide
Pre-Installation Steps Linux User Authorization

  1. PBS may be configured to use the Secure Copy (scp) for file transfers. The administrator sets up SSH keys as
    described in “Enabling Passwordless Authentication” on page 553 in the PBS Professional Administrator’s Guide.
    See also “Setting File Transfer Mechanism” on page 547 in the PBS Professional Administrator’s Guide.

I need Passwordless Authentication to get output files from MOMs.
I go to:
PBS Professional 2020.1 Administrator’s Guide Enabling Passwordless Authentication

You can use any authentication method you want, such as a shosts.equiv file, an authorized keys file, or .rhosts authentication. You can choose a cipher and use encryption; balance the CPU time required by encryption with the CPU time required by MoMs and job tasks.

Is there in documentation any explanation of above topics?
When I using PBSpro 14.2, I do it like in documentation in admin guide 14.2: SSH/SCP
Is this correct also to version 20 of openPBS?
Or I should use MUNGE like said in :
PBS Professional 2020.1 Administrator’s Guide
8.4.4 Authentication via MUNGE

Yes thats correct

You do not have to, unless you want all communication to be secured.

Thank you

Thank You for Your reply.
Tell me please is MUNGE is replacement for host-based authentication or just new feature to communication be more secured ?

If I use MUNGE in my cluster I do not need to set host-based authentication or those two topics are not related?


No, it not related to user-sshkey based or host-based authentication

Yes you are correct.
Please check this section 8.4.4 Authentication via MUNGE

Ref: GitHub - dun/munge: MUNGE (MUNGE Uid 'N' Gid Emporium) is an authentication service for creating and validating user credentials.
MUNGE ( MUNGE Uid ‘N’ Gid Emporium ) is an authentication service for creating and validating user credentials. It is designed to be highly scalable for use in an HPC cluster environment. It provides a portable API for encoding the user’s identity into a tamper-proof credential that can be obtained by an untrusted client and forwarded by untrusted intermediaries within a security realm. Clients within this realm can create and validate credentials without the use of root privileges, reserved ports, or platform-specific methods.

  • Two topics are not related
  • host-based passwordless-ssh or userkey-based passwordless-ssh are required
  • Snippet from the PBS Pro Admin guide:
    You can use the MUNGE authentication daemon to create and validate credentials within a PBS complex. Using MUNGE, the hosts in the PBS complex form a security realm and share a cryptographic key. PBS processes can use MUNGE to authenticate the UID and GID of other processes on hosts in a PBS complex. The client machines in the complex can create and validate credentials without using root privilege, reserved ports, or methods requiring a specific platform.
    PBS Professional uses the MUNGE authentication service to authenticate the UID and GID of PBS processes, and to create and validate credentials. Once MUNGE is integrated, communication for PBS commands and daemons is validated via MUNGE. All PBS daemons are authenticated via MUNGE when they try to connect to pbs_comm.

If someone search method to enable passwordless authentication, this is method whitch working in Centos 8:

  1. In /etc/hosts You need have all hosts names(short and long) and IPs.
  2. Edit file /etc/ssh :
    Host *
    HostbasedAuthentication yes
    EnableSSHKeysign yes
  3. Edit file /etc/ssh/sshd_config :
    HostbasedAuthentication yes
    IgnoreUserKnownHosts yes
    IgnoreRhosts yes
    UseDNS yes
  4. Create file /etc/ssh/shosts.equiv which includes FQDN names of all hosts.
  5. Create or edit file /etc/ssh/ssh_known_hosts2 which looks for example like this line:
    h1,host1,,host_IP ssh-ed25519 AAAAAkjdfkjf…
    after IP is type of pub key-algorithm and next is host public key of typed before algorithm.

To quickly create ssh_known_hosts2 file, You can use ssh-keyscan command :
ssh-keyscan -t ed25519 -f ssh_hosts >> ssh_known_hosts2
then copy it to /etc/ssh/
I use here ssh_hosts file which includes names of all hosts and it is in reverse format to /etc/hosts file, e.g.:
6. Next You need to restart sshd service: sudo systemctl restart sshd.
From now, You should be able to connect via ssh to any host in Your complex whithout entering password.

1 Like