Cluster requires root login between machines?

[Pegasus]

Hello.

Does regular cluster communication require root logon between machines? I usually set 'PermitRootLogon' to 'no' in my sshd_config for safety. I set it to yes to add a cluster node, but can I turn it back off now?

If it must be on, does it use keys for authentication? I usually also set 'PasswordAuthentication' to 'no' as well to prevent cracking attempts since I use keys to log in to my servers. I had to set it to 'yes' to join the node but can I set it back to 'no' now?

Thanks for any help anyone can provide.

 

[dietmar]

After join, we use keys for authentication.

 

[Pegasus]

Okay, that's good, but does it continue to use root? And must all servers in a cluster be able to accept root logins from every other server in the cluster?

 

[dietmar]

Okay, that's good, but does it continue to use root? And must all servers in a cluster be able to accept root logins from every other server in the cluster?

yes

 

[Frazze]

You could do something like this in sshd config:



AllowUsers user1 user2 root@127.0.0.1 root@IP-NODE-1 root@IP-NODE-2 root@IP-NODE-3 root@IP-NODE-4



This will allow connections just from the root user from your node servers.


At the very end of sshd_config add the following:



Match User root
PasswordAuthentication yes


Now you should only be able to login via root and password from the in AllowUsers specified IP-Adresses.




I think this is the best solution to your security-concerns