HPE Community
Operating System - HP-UX
1752782 Members
6254 Online
108789 Solutions
New Discussion юеВ

Re: /.rhosts on MC/ServiceGuard

 
SOLVED
Go to solution
Anthony Arindaeng
Advisor

тАО07-07-2006 08:32 AM

тАО07-07-2006 08:32 AM

/.rhosts on MC/ServiceGuard

We have a two-node cluster and for security reason, I wanted to verify if /.rhosts is required for MC/ServiceGuard to work on all nodes.

contents of /.rhosts file
servernamenode1 root
servernamenode2 root

Any reply would be greatly appreciated.
Thank you
0 Kudos
Reply
9 REPLIES 9
Jeff_Traigle
Honored Contributor

тАО07-07-2006 08:43 AM

тАО07-07-2006 08:43 AM

Re: /.rhosts on MC/ServiceGuard

Nope. You can use /etc/cmcluster/cmclnodelist for the same purpose .rhosts was used. Same format as .rhosts, but only SG uses it.
--
Jeff Traigle
Reply
Sameer_Nirmal
Honored Contributor

тАО07-07-2006 08:48 AM

тАО07-07-2006 08:48 AM

Re: /.rhosts on MC/ServiceGuard

ServiceGuard checks for /etc/cmcluster/cmclnodelist before checking for a .rhosts file. If cmclnodelist is found first, .rhosts is ignored.

Ensure you have /etc/cmcluster/cmclnodelist in place ( which has same format of .rhosts ) and then .rhosts could be removed.
Reply
Thomas J. Harrold
Trusted Contributor

тАО07-08-2006 02:07 AM

тАО07-08-2006 02:07 AM

Solution

Re: /.rhosts on MC/ServiceGuard

Actually, with the latest release of MC/SG, you do not even need the /etc/cmcluster/cmclnodelist after the initial cluster is formed. You can define user access at the cluster, and package level.

Take a look at the comments in the cluster and package templates - near the botom.

I use SSH for host-to-host access, and can completely disable the insecure telnet/rcmd access.

-tjh
I learn something new everyday. (usually because I break something new everyday)
Reply
Anthony Arindaeng
Advisor

тАО07-10-2006 04:31 AM

тАО07-10-2006 04:31 AM

Re: /.rhosts on MC/ServiceGuard

Thanks Jeff and Sameer. If I create the /etc/cmcluster/cmclnodelist file, do I still need to open the remshd in /etc/inetd.conf to make this work?

Thomas,
Can you provide more details on how to implement SSH for host-to-host access between the cluster nodes? We actually disabled telnet and all rcmds from inetd.conf on all our servers except cluster member servers. We use SSH to get access to all servers.

Thank you

0 Kudos
Reply
Anthony Arindaeng
Advisor

тАО07-10-2006 04:35 AM

тАО07-10-2006 04:35 AM

Re: /.rhosts on MC/ServiceGuard

Thomas,
I forget to mention we are using ver A.11.14 of MC/ServiceGuard. Does this version supports SSH?
0 Kudos
Reply
Thomas J. Harrold
Trusted Contributor

тАО07-10-2006 05:03 AM

тАО07-10-2006 05:03 AM

Re: /.rhosts on MC/ServiceGuard

To allow ssh access (without password) between two hosts:

1) decide on userid that needs access with no PW. Let's assume that you want root to be able to do this. (some site security policies are OK with this, especially in a cluster configuration)

2) ensure that ssh is installed, and that you can ssh to both hosts. (password required)

3) login to host A
4) cd /.ssh (or ~root/.ssh if root's home is not "/")
5) ssh-keygen -t dsa (press return at all prompts, no need to enter a passphrase)
6) Default location of your key should be /.ssh/id_dsa
7) repeat for host B
8) scp the id_dsa.pub file from host A to host B, and cat the entire contents into a file called /.ssh/authorized_keys
9) scp the id_dsa.pub file from host B to host A, and cat the entire contents into a file called /.ssh/authorized_keys
10) test that you can ssh between the nodes without a password. (as the root user only)

Hope this helps,

-tjh
I learn something new everyday. (usually because I break something new everyday)
Reply
Jeff_Traigle
Honored Contributor

тАО07-12-2006 07:34 AM

тАО07-12-2006 07:34 AM

Re: /.rhosts on MC/ServiceGuard

If you use cmclnodelist, then you can disable remsh in inetd.conf. It's not needed. I forget which version of SG introduced the SSH capability, but I'm pretty sure it was after A.11.14.
--
Jeff Traigle
0 Kudos
Reply
Thomas J. Harrold
Trusted Contributor

тАО07-12-2006 08:11 AM

тАО07-12-2006 08:11 AM

Re: /.rhosts on MC/ServiceGuard

I believe SG 11.15 and 11.16 support the "built in" security that can be configured at a cluster or package level.

Prior versions require the cmclnodelist file.

There are a lot of NICE enhancements in 11.16 that help with large clusters (ie lots of cluster aware VGs), so I highly recommend upgrading when you have an opportunity.

-tjh
I learn something new everyday. (usually because I break something new everyday)
0 Kudos
Reply
John Bigg
Esteemed Contributor

тАО07-12-2006 08:26 PM

тАО07-12-2006 08:26 PM

Re: /.rhosts on MC/ServiceGuard

Serviceguard 11.14 and 11.15 require either .rhosts or cmclnodelist. It is 11.16 that introduces access control policies which obsolete these files after initial cluster creation.

In any case Serviceguard does not use remsh or ssh on any release and these can safely be disabled without affecting the cluster itself. However, you probably want to have something enabled to allow package files to be copied between nodes easily.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.