Nevis Linux Cluster Authentication

This web page contains a discussion of how user authentication is handled on the Nevis Linux cluster.

The Basics

In simple terms, "user authentication" means who is allowed to log on to a machine in the Linux cluster.

The cluster shares a common list of account names, passwords, and home directories. Your password and home directory will be the same on any machine on which you can log in. (Home directories are shared between systems using automount.)

If you want to change your password on the cluster, you use the passwd command. This will change your password on every machine on the entire cluster, not just the system you're on.

However, not every user is allowed to log in to every machine. Typically, only members of the group who own a system can log in to it; only ATLAS collaborators can use the ATLAS clients and servers, only neutrino collaborators can use the neutrino systems, and so on.


To go beyond the basics, you have to learn something about NIS, or Network Information Services. (This used to be called "yellow pages", which is why all the NIS commands begin with "yp".)

Basically, NIS is a way of sharing files across a network. If you'd like to list a files shared by the Linux cluster, use the command

ypwhich -m

This lists which files (or "maps") are maintained using NIS, and the name of the computer on which the master files are stored. I can change a file on one machine, but if I want all the machines in the cluster to see a change, I must make the change in the file on the "NIS master" computer.

What happens if the NIS master computer goes down? Chaos would ensue -- which is why there are backup copies of the NIS files stored on other machines ("NIS slaves"). As long as at least one master or slave system is running, NIS will continue to function on the entire cluster. To see a list of all the NIS slaves, use the command

ypcat ypservers

On a UNIX system, the list of user accounts in stored in the file /etc/passwd. To see who can log in to a particular machine, use the command

cat /etc/passwd

On one machine at Nevis, the last few lines in the file are:


Translated into human terms, these lines mean: All members of the netgroup "admin-users" can log in to this computer; all members of the netgroup "atlas-users" can log in as well; everyone else ("linux-users") cannot log in because their login shell is /bin/false. (This last line is needed so that ATLAS users can access the basic account information of other users (via finger, for example) without allowing those users access to the machine.)

So who is in these "netgroups"? To find out who is in the group atlas-users, for example, use the command

ypmatch atlas-users netgroup

To get the account information for one of these users, "seligman" for example, use the command

ypmatch seligman passwd

If you want to see the entire passwd file stored on the NIS master, I suggest you try

ypcat passwd | sort | less

(If you don't use sort, the names will be listed in random order.)

Note that using NIS greatly simplifies administration of the cluster. A user has only one account name, password, and home directory throughout the cluster. If a user is added to a netgroup, they automatically have access to all that group's machines on the cluster. The administrators can control access to a machine on an individual level (e.g., user "jsmith" can only access machines A, B, and C) or on the group level (e.g., this machine can be accessed by anyone in ATLAS and anyone in eBubble).