4.3 Security Configuration
The command fanout tools support both remote shell (rsh or rcmd) and ssh transports. Each requires specific security setup steps in order to authorize the user initiating the command fanout operation to execute a command on the remote target systems. The command fanout tools require that the remote system not prompt for a password. Both rsh and ssh transports must be preconfigured on each remote system to allow
4.3.1 Remote Shell Security Setup
When using the remote shell command transport, the local user must have a $HOME/.rhosts file configured on each remote target system. Refer to the rhosts(4) reference manpage for details on configuring the $HOME/.rhosts file.
4.3.2 ssh Security Setup
ssh uses public host keys to authenticate remote hosts and supports public key authentication to authenticate users. When users’ public keys are properly configured on a set of remote systems, they can access those systems without being prompted for a password. Manually configuring ssh for
#csshsetup
The
Note that csshsetup is not specific to Serviceguard clusters; it can be used for arbitrary groups of systems. Also, the trust relationship does not have to be bidirectional. Omit the
4.3.3 Security Notes
The remote shell protocol is an inherently insecure protocol. It is the protocol used by the Berkeley “r commands,” rlogin, rcp, remsh, and so on. Many system administrators disable the use of the “r” commands as a matter of policy. For example, the Bastille security hardening tool offers a default option to disable these insecure services. If disabled, the pdsh
If the “r” services are not disabled, use of the pdsh
If the hosts and users are trusted in your environment, you can enable the use of the pdsh
#cd /opt/dsau/bin/pdsh
#chown root:bin pdsh
#chmod u+s pdsh
4.3 Security Configuration | 85 |