WebMO Remote Computational Server Help

Setup using rsh

Pre-requisites

  • rsh and rcp

    The installation and use of WebMO remote computational servers requires that rsh (remote-shell) and rcp (remote-copy) be installed on the WebMO web server. In addition, rshd/rlogind (remote-shell daemon) must be installed and running on the remote computational server.

  • Existing account

    The installation and use of a WebMO remote computational server requires that the administrator have an existing account on each remote server. Ideally (but not required), this should be a new one created specifically for WebMO (see security considerations below).

Set-up process

For purposes of this discussion, it will be assumed that WebMO was installed on "webserver.domain.edu" running as user "nobody". It will further be assumed that a account with name "webmo" was created on the server "compserver.domain.edu" for use by WebMO.
  1. Configure .rhosts file

    1. Create a new account names webmo on compserver.domain.edu
    2. Login to the webmo account on server.domain.edu
    3. Create/append .rhosts file
      % vi .rhosts (note the period in from of the 'r')
      Add the line "webserver.domain.edu nobody"
    4. Restrict access to .rhosts file
      % chmod 600 .rhosts

    This gives the user nobody from webserver.domain.edu remote access to this new account.

    Important: If cgiwrap is installed (see "Security considerations"), change "nobody" in the above description to the username under whose directory WebMO was installed on the webserver.

  2. Troubleshooting

    The first troubleshooting method is to ensure that one can execute commands on the remote machine from the command prompt of the webserver machine.

    1. Login to the webmo account on compsever.domain.edu
    2. Create/append .rhosts file
      % vi .rhosts (note the period in from of the 'r')
      Add the line "webserver.domain.edu username"
      where username is the name of an account you can access on webserver.domain.edu for testing purposes.
    3. Login to the username account on websever.domain.edu
    4. Test rsh
      % rsh -l webmo compserver.domain.edu ls
      (This should list the files on the remote machine. Any error messages here indicate a problem with your rsh/rshd setup; consult your system administrator for further assistance.)
    5. If desired, cleanup .rhosts file on compserver.domain.edu

    The second troubleshooting method is to determine the username under which the WebMO webserver is running.

    1. If you have not yet created any webmo users, login to WebMO as 'admin' and create a user
    2. Login to an account on websever.domain.edu
    3. Proceed to the <userBase> directory
      % cd /home/smith/webmo
    4. Determine the owner of any users directory (not admin)
      %ls -alF
      ...
      
drwdrwxrwxrwx    8 nobody   nobody       119 May 26 11:06 smith/
...
    In the above example, the webserver is running as 'nobody'. It is vital that the username is the .rhosts file match this username.

Security considerations

Running rshd/rlogind (required for rsh/rcp access) on a computational server poses some inherent security risk due to the nature of the programs. Note that if rshd/rlogind was already running on the server, using WebMO does not increase this risk; the risk is inherent in having rshd/rlogind running. However, the following measures can help decrease the risk.
  1. Create a unique account for WebMO

    Since rsh access is on an account-by-account basis, create a new, unique account for WebMO on the computational server. This will help ensure that rsh access is available to only those files required to run WebMO.

  2. TCP wrappers

    Install and configure tcp_wrappers on computational server to allow rsh access to only those computers that require such access.

  3. suexec

    Suexec is a program that allows cgi scripts run as the user in whose directory they are installed, rather than 'nobody'. This can be convenient both for security and for practical reasons. In particular, rather than allowing rsh access from the user 'nobody' (which all webserver scripts run under), rsh access from the user in whose directory the WebMO scripts are installed. Suexec is normally installed and enabled by default on most Linux distributions. However, it is NOT installed by default on Mac OS X, and must be compiled and installed seperately.

  4. Use ssh instead of rsh

    See below for setup information.

Setup using ssh

Pre-requisites

  • ssh and scp

    The installation and use of WebMO remote computational servers requires that rssh and scp (remote-copy) be installed on the WebMO web server. In addition, sshd must be installed and running on the remote computational server.

  • Existing account

    The installation and use of a WebMO remote computational server requires that the administrator have an existing account on each remote server. Ideally (but not required), this should be a new one created specifically for WebMO (see security considerations below).

  • suexec

    Suexec is a program that allows cgi scripts run as the user in whose directory they are installed, rather than 'nobody'. This can be convenient both for security and for practical reasons. In particular, rather than allowing rsh access from the user 'nobody' (which all webserver scripts run under), rsh access from the user in whose directory the WebMO scripts are installed. Suexec is normally installed and enabled by default on most Linux distributions. However, it is NOT installed by default on Mac OS X, and must be compiled and installed seperately.

Set-up process

For purposes of this discussion, it will be assumed that WebMO was installed on "webserver.domain.edu" running as user "webmo". It will further be assumed that a account with name "webmo" was created on the server "compserver.domain.edu" for use by WebMO.
  1. Create a public/private keypair

    1. Login to the webmo account on webserver.domain.edu
    2. Create keypair
      % ssh-keygen -f id_rsa -t rsa
      You must enter a blank passphrase.
    3. vi ~/.ssh/id_rsa.pub
      Copy contents of file to clipboard.
  2. Add public key to list of authorized keys

    1. Login to the webmo account on compserver.domain.edu
    2. vi ~/.ssh/authorized_keys
      Paste contents of clipboard to file.
    3. chmod 600 ~/.ssh/authorized_keys
  3. Misc. setup

    1. Configure WebMO to use SSH2
      Early version of WebMO were configured to use SSH1 rather than SSH2. This setting is not changed during upgrades. Thus, you must manually change WebMO to use SSH2.
      % vi webmo_cgi/interfaces/globals.int
      Delete the contents of the entry 'sshOptions' and 'scpOptions'.
  4. Testing

    1. Login to the webmo account on webserver.domain.edu
    2. SSH to compserver.domain.edu
      % ssh webmo@compserver.domain.edu
      (The first time you should be prompted to accept the identity of compserver.domain.edu)
      % exit
      % ssh webmo@compserver.domain.edu
      (You should now be logged on to compserver.domain.edu without any prompting)
      % exit

Configuring WebMO

  1. Add the remote server to WebMO

    1. Login to WebMO as the WebMO administrator
    2. Proceed to the "Remote Server Manager"
    3. Type in a name for the remote server (e.g. 'Remote 1')
    4. Type in the address for the remote server (e.g. 'server.domain.edu')
    5. Type in the username of the account established on this server (e.g. 'webmo')
    6. Type in the home directory corresponding to this username (e.g. '/home/webmo' or '/usr/people/webmo')
    7. Type in the scratch directory location on this server (e.g. '/tmp' or '/scratch')
    8. Click "Add" to add the computational server

    After 5 to 60 seconds, a message should appear stating that the computational server has been successfully added. If an error message appears, consult the troubleshooting section below.

  2. Enable the interfaces for the new server

    1. Proceed to the "Interface Manager"
    2. Select the remote server and click the "Change" button
    3. Click the "Enable" button for each available interface

  3. Configure each new interface

    1. Proceed to the "Computational Engine Manager"
    2. Select the remote server and click the "Change" button
    3. Edit preferences, such as path to the executable, as appropriate

Program Help Editor Help Administration Help