Platform LSF Administration Guide Version 6.2

ManualsBrandsHP ManualsSoftwareHP XC System 3.x Software

561

562

563

564

565

566

567

568

569

570

About User Authentication

Administering Platform LSF

566

About User Authentication

LSF recognizes UNIX and Windows authentication environments, including different

Windows domains and individual Windows workgroup hosts.

◆

In a UNIX environment, user accounts are validated at the system level, so your user

account is valid on all hosts.

◆

In a Windows domain environment, user accounts are validated at the domain level,

and your user account is valid on all hosts in your domain (and might be valid in

other domains, if there is a trust relationship).

◆

In a Windows workgroup environment, each host authenticates the user account,

so your local account is only valid on one host.

User authentication options

To enable LSF users to execute commands remotely, you must specify the authentication

method LSF uses to authorize remote execution across the network.

You have the following choices:

◆

External authentication (eauth)

◆

Privileged ports (setuid)

◆

Identification daemon (identd)

If you change the authentication type while the LSF daemons are running, you must shut

down and restart the LSF daemons on each LSF server host, so that the daemons will

use the new authentication method.

External authentication (eauth)

External authentication uses the LSF eauth executable installed in LSF_SERVERDIR.

Optionally, you may choose to write your own

eauth executable that uses some site-

specific authentication method such as Kerberos or DCE client authentication using the

GSSAPI.

By default,

eauth uses an internal key to encrypt authentication data. To use an external

key to improve security, configure the parameter LSF_EAUTH_KEY in the

lsf.sudoers file. The default eauth program is installed without setuid

permission. If you use LSF_EAUTH_KEY,

eauth must be setuid.

The

eauth mechanism can pass data (such as authentication credentials) from users to

execution hosts. The environment variable LSF_EAUTH_AUX_DATA specifies the

full path to a file where data, such as a credential, is stored. The mechanisms of

eauth

-c

and eauth -s allow the LSF daemons to pass this data using a secure exchange.

LSF_AUTH in

lsf.conf

Installation with lsfinstall sets LSF_AUTH=eauth in lsf.conf automatically. To use

another authentication mechanism, you must change the value of LSF_AUTH and

restart all LSF daemons.

eauth -c

host_name

When a command is invoked, the client program automatically executes eauth -c

host_name to get the external authentication data, where host_name is the name of

the host running the LSF daemon (for example, RES) on which the operation will take

place. The external user authentication data is passed to LSF through the standard

output of the

eauth program.