SSH to Azure HDInsight Premium cluster nodes
With HDInsight Standard cluster any user can SSH to the cluster nodes. In comparison HDInsight Premium cluster nodes by default restricts SSH access to two groups sudo and root. My initial assumption was that Microsoft may have done this for security reasons but then why allow the root user to login over SSH - this is something that most sysadmins disable.
HDInsight Premium cluster nodes have the following line in the /etc/ssh/sshd_config:
AllowGroups sudo root
This line states that members of the group sudo and root (e.g. in the later case that's the root user) are permitted to login via SSH. If you would like to allow any user to login via SSH simply remove this line.
A better approach is to create a group in AD (and ensure this group is synchronised to the HDInsight cluster - this is something that you must configure when you deploy the cluster) and use that instead.
There seems to be a limitation that AllowGroups does not work with AD groups other than those shown via id <username>. I suspect this behaviour may be due to a limitation with winbind - when using SSD and Realmd to domain join a Linux VM, the full group membership is shown for a user. Furthermore if your AD groups contain spaces then because the space character is used to separate users then this won't work - you can partially work around this by using the asterisk character:
AllowGroups sudo domain*users
HDInsight Premium cluster nodes have the following line in the /etc/ssh/sshd_config:
AllowGroups sudo root
This line states that members of the group sudo and root (e.g. in the later case that's the root user) are permitted to login via SSH. If you would like to allow any user to login via SSH simply remove this line.
A better approach is to create a group in AD (and ensure this group is synchronised to the HDInsight cluster - this is something that you must configure when you deploy the cluster) and use that instead.
There seems to be a limitation that AllowGroups does not work with AD groups other than those shown via id <username>. I suspect this behaviour may be due to a limitation with winbind - when using SSD and Realmd to domain join a Linux VM, the full group membership is shown for a user. Furthermore if your AD groups contain spaces then because the space character is used to separate users then this won't work - you can partially work around this by using the asterisk character:
AllowGroups sudo domain*users
Comments
Post a Comment