ssh_keys group missing for CentOS7 image

[PIERCE JORGENSEN]

Hello,

I've run into some issues setting up host-based authentication on CloudLab. I need to configure host-level trust between a CloudLab node and a remote host for testing an application called Open OnDemand. 

Documentation: Open OnDemand, hostBasedAuthentication

From what I understand CentOS/RHEL has a group called ssh_keys that is used by ssh-keysign to enable secure signing of host keys in /etc/ssh. But when I start up a new experiment using a CentOS7 image, I see that the host keys in /etc/ssh have these permissions and no ssh_keys group exists in /etc/group:

-rw-------. 1 root root 227  [date]   ssh_host_ecdsa_key 

-rw-r--r--. 1 root root 162  [date]   ssh_host_ecdsa_key.pub 

-rw-------. 1 root root 387  [date]   ssh_host_ed25519_key 

-rw-r--r--. 1 root root 82  [date]   ssh_host_ed25519_key.pub 

-rw-------. 1 root root 1675  [date]   ssh_host_rsa_key 

-rw-r--r--. 1 root root 382  [date]   ssh_host_rsa_key.pub

When I know it typically looks something like:

-rw-r-----. 1 root ssh_keys 668 [date] ssh_host_dsa_key 

-rw-r--r--. 1 root root 590  [date]   ssh_host_dsa_key.pub 

-rw-r-----. 1 root ssh_keys 965  [date]   ssh_host_key 

-rw-r--r--. 1 root root 630  [date]   ssh_host_key.pub

 -rw-r-----. 1 root ssh_keys 1679  [date]   ssh_host_rsa_key 

-rw-r--r--. 1 root root 382  [date]   ssh_host_rsa_key.pub

Without ssh-keysign being part of the group ssh_keys and having group readable permissions for the host_keys in /etc/ssh, I can't enable host-level trust. Is this an intentional decision for the security of the CloudLab nodes? Is there a way I can safely enable this feature or would it be safer to do this on another platform? 

Thanks for the help!

Pierce Jorgensen

University of Utah, CHPC

[David M Johnson]

Hi. This is already under discussion in this thread started by Joe:
https://groups.google.com/g/cloudlab-users/c/ouz8AiH3vb0/m/I0FRSbkfAAAJ

Thanks.

David

On 4/16/21 9:52 AM, PIERCE JORGENSEN wrote:
> Hello,
>
> I've run into some issues setting up host-based authentication on
> CloudLab. I need to configure host-level trust between a CloudLab node
> and a remote host for testing an application called Open OnDemand. 
>
> Documentation: Open OnDemand

> <https://openondemand.org/>, hostBasedAuthentication
> <https://arc.liv.ac.uk/SGE/howto/hostbased-ssh.html>

> --
> You received this message because you are subscribed to the Google
> Groups "cloudlab-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cloudlab-user...@googlegroups.com
> <mailto:cloudlab-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/cloudlab-users/7ee79f36-d21c-4c34-b5dd-db094b11a714n%40googlegroups.com
> <https://groups.google.com/d/msgid/cloudlab-users/7ee79f36-d21c-4c34-b5dd-db094b11a714n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Joe Breen]

Pierce,

Please see the thread on which I cc:'d you and on which David Johnson answered this question.  There is a workaround posted in that thread.  Please email if you have questions.  

Thanks 

  --Joe

  Joe....@utah.edu

  Univ of Utah Center for High Performance Computing

--

You received this message because you are subscribed to the Google Groups "cloudlab-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cloudlab-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cloudlab-users/7ee79f36-d21c-4c34-b5dd-db094b11a714n%40googlegroups.com.

[Pierce Jorgensen]

Ah, I see. I was just about to close the topic after having seen it. Thanks for the quick response though!

Pierce Jorgensen

University of Utah CHPC

[David M Johnson]

Hi Joe, Pierce. We've finally finished pushing out the updates that fix
this problem... please let us know if something still isn't working.

Thanks!

David

On 4/16/21 10:05 AM, Joe Breen wrote:
> Pierce,
>
> Please see the thread on which I cc:'d you and on which David Johnson
> answered this question.  There is a workaround posted in that thread. 
> Please email if you have questions.  
>
> Thanks 
>   --Joe

>   Joe....@utah.edu <mailto:Joe....@utah.edu>

>   Univ of Utah Center for High Performance Computing
>
>
>
> On Fri, Apr 16, 2021 at 9:53 AM PIERCE JORGENSEN
> <u106...@gcloud.utah.edu <mailto:u106...@gcloud.utah.edu>> wrote:
>
> Hello,
>
> I've run into some issues setting up host-based authentication on
> CloudLab. I need to configure host-level trust between a CloudLab
> node and a remote host for testing an application called Open OnDemand. 
>

> Documentation: Open OnDemand
> <https://openondemand.org/>, hostBasedAuthentication
> <https://arc.liv.ac.uk/SGE/howto/hostbased-ssh.html>
>

> <mailto:cloudlab-user...@googlegroups.com>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/cloudlab-users/7ee79f36-d21c-4c34-b5dd-db094b11a714n%40googlegroups.com

> <https://groups.google.com/d/msgid/cloudlab-users/7ee79f36-d21c-4c34-b5dd-db094b11a714n%40googlegroups.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "cloudlab-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cloudlab-user...@googlegroups.com

> <mailto:cloudlab-user...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/cloudlab-users/CAJ11-S9-S-%2B2As99xnreGw7Y9hRH-LCOPj4StLyT54tLHTojsw%40mail.gmail.com
> <https://groups.google.com/d/msgid/cloudlab-users/CAJ11-S9-S-%2B2As99xnreGw7Y9hRH-LCOPj4StLyT54tLHTojsw%40mail.gmail.com?utm_medium=email&utm_source=footer>.