expired saffron password
Christopher J. Miller
via
Is it possible that setting up a short "PASS_MAX_DAYS" setting in login.defs (say, 90 days or similiar) may cause some automated processes that use SSH with they keys to fail? I manually attempted to SSH to another node in the cluster, and was presented with a dialog to change the saffron user password because it had expired. I would figure that if a script was running and SSHed into this server, it would not be able to proceed due to the password prompt.
This setting was set most likely due to our security team requirements.
Comments are currently closed for this discussion. You can start a new one.
Support Staff 2 Posted by Yen-Min Huang on 03 Aug, 2009 08:45 PM
Yes, it is possible to restrict the ssh keys login and require PAM authorization with the password expiration through /etc/ssh/ssh_config. Currently, saffron cluster is set up to rely on public key (rsa) ssh login for the user 'saffron', which is allowed by the default ssh setting (PubkeyAuthentication=yes). It is also possible to use ssh_config to limit certain user to be able to ssh. Depending on your infrastructure, one could set up a private network for the cluster, and only allows access through the head node. Within the private network, the direct ssh login is permitted. If you have different security requirements to meet and have difficulties in setting up the cluster, please let us know.
Yen-Min
Support Staff 3 Posted by David E. Young on 04 Aug, 2009 12:19 PM
Yes, please don't do that. The cluster environment tools depend on being able to ssh reliably into each node.
-- david
Support Staff 4 Posted by Jim Fleming on 24 Sep, 2009 05:17 PM
This issue has been closed.
Jim Fleming closed this discussion on 24 Sep, 2009 05:17 PM.