LSF Version 7.3 - Administering Platform LSF

ManualsBrandsHP ManualsSoftwareHP XC System 4.x Software

671

672

673

674

675

676

677

678

679

680

Authentication options

674 Administering Platform LSF

NOTE: If you change the authentication method while LSF daemons are running, you must shut

down and restart the daemons on all hosts in order to apply the changes.

When the external authentication (eauth) feature is enabled, you can also configure

LSF to authenticate daemons by defining the parameter

LSF_AUTH_DAEMONS in

lsf.conf.

All authentication methods supported by LSF depend on the security of the

root

account on all hosts in the cluster.

UNIX user and host authentication

The primary LSF administrator can configure additional authentication for UNIX

users and hosts by defining the parameter

LSF_USE_HOSTEQUIV in the lsf.conf

file. With

LSF_USE_HOSTEQUIV defined, mbatchd on the master host and RES on

the remote host call the

ruserok(3) function to verify that the originating host is

listed in the

/etc/hosts.equiv file and that the host and user account are listed in

Authentication

method

Description Configuration Behavior

External

authentication

◆ A framework that enables you

to integrate LSF with any

third-party authentication

product—such as Kerberos or

DCE Security Services—to

authenticate users, hosts, and

daemons. This feature provides

a secure transfer of data within

the authentication data stream

between LSF clients and

servers. Using external

authentication, you can

customize LSF to meet the

security requirements of your

site.

LSF_AUTH=eauth ◆ LSF uses the default eauth

executable located in

LSF_SERVERDIR. The default

executable provides an

example of how the

eauth

protocol works. You should

write your own

eauth

executable to meet the

security requirements of your

cluster. For a detailed

description of the external

authentication feature and

how to configure it, see the

Platform LSF Configuration

Reference.

Identification

daemon (

identd)

◆ Authentication using the

identd daemon available in

the public domain.

LSF_AUTH=ident ◆ LSF uses the identd daemon

available in the public

domain.

◆ LSF supports both RFC 931

and RFC 1413 protocols.

Privileged ports

(

setuid)

◆ User authentication between

LSF clients and servers on UNIX

hosts only. An LSF command or

other executable configured as

setuid uses a reserved

(privileged) port number

(1-1024) to contact an LSF

server. The LSF server accepts

requests received on a

privileged port as coming from

the

root user and then runs the

LSF command or other

executable using the real user

account of the user who issued

the command.

LSF_AUTH not

defined

◆ For UNIX hosts only, LSF

clients (API functions) use

reserved ports 1-1024 to

communicate with LSF

servers.

◆ The number of user accounts

that can connect

concurrently to remote hosts

is limited by the number of

available privileged ports.

◆ LSF_AUTH must be deleted

or commented out and LSF

commands must be installed

setuid programs owned

root.