Platform LSF Administration Guide Version 6.2

ManualsBrandsHP ManualsSoftwareHP XC System 3.x Software

561

562

563

564

565

566

567

568

569

570

About User Authentication

Administering Platform LSF

568

LSF_AUTH in

lsf.conf

If you do not define LSF_AUTH in lsf.conf, privileged ports (setuid) authentication is

the default user authentication used by LSF. Installation with lsfinstall sets

LSF_AUTH=eauth automatically. To use setuid authentication, you must remove

LSF_AUTH from lsf.conf. LSF_AUTH=setuid is an incorrect configuration

Identification daemon (identd)

LSF also supports authentication using the RFC 931 or RFC 1413 identification

protocols. Under these protocols, user commands do not need to be installed as

setuid programs owned by root. You must install the identd daemon available in the

public domain.

The RFC 1413 and RFC 931 protocols use an identification daemon running on each

client host. RFC 1413 is a more recent standard than RFC 931. LSF is compatible with

both. Using an identification daemon incurs more overhead, but removes the need for

LSF applications to allocate privileged ports.

You should use identification daemons if your site cannot install programs owned by

root with the

setuid bit set, or if you have software developers creating new load-

sharing applications in C using LSLIB.

An implementation of RFC 931 or RFC 1413 such as

pidentd or authd can be

obtained from the public domain. If you have Internet FTP access, a good source for

identification daemons is host

ftp.lysator.liu.se, directory

pub/ident/servers.

LSF_AUTH in

lsf.conf

Installation with lsfinstall sets LSF_AUTH=eauth in lsf.conf automatically. To use

identd authentication, you must set LSF_AUTH=ident in lsf.conf.

How LSF determines the user authentication method

LSF uses the LSF_AUTH parameter in the lsf.conf file to determine which type of

authentication to use:

LSF_AUTH=eauth

is set automatically during installation with lsfinstall. LSF runs

the external executable

eauth in the LSF_SERVERDIR directory to perform the

authentication.

If a load-sharing application is not

setuid to root, library functions use a non-

privileged port. If the LSF_AUTH parameter is not set in

lsf.conf, the connection is

rejected.

LSF_AUTH=ident

or undefined

If LSF_AUTH is defined to be ident, RES on the remote host, or mbatchd in the

case of a

bsub command, contacts the identification daemon on the local host to verify

the user ID. The identification daemon looks directly into the kernel to make sure the

network port number being used is attached to a program being run by the specified

user.

If LSF_AUTH is ... LSF uses ...

eauth External authentication (eauth)

Not defined Privileged ports (setuid)

ident Identification daemon (identd)