IBM® Spectrum LSF 10.1 Fix 564668 Readme File 

Abstract


P103960. This fix prevents the user from using LSF as arbitrary users by replacing the eauth key in the data packet that is used for the authentication mechanism.


Description


Readme documentation for IBM® Spectrum LSF 10.1 Fix 564668 including installation-related instructions, prerequisites and co-requisites, and list of fixes.

This fix addresses the following issue:

By default LSF uses eauth for its authentication mechanism, which uses a hardcoded key. This key is generated from an external authentication framework named eauth to secure user credentials for the data stream between LSF clients and servers. However, users can use the eauth in the Community Edition to generate the auth key for any specified user name. Since LSF uses exactly the same key that is available for download in the Community Edition of LSF, anyone can obtain this key and use it to send requests as arbitrary users in an LSF installation.


This fix adds a checksum for each authorization request. Any data packet that is sent to LSF can be identified if it has been modified. This fix can prevent users from changing either the user credential or the content of LSF requests.


A summary of the steps apply this fix is as follows (for detailed steps, follow section 5, Installation and configuration):

1.    Shut down the LSF cluster.

2.    Update the binary files.

3.    Set LSF_STRICT_CHECKING=ENHANCED in the lsf.conf file.

4.    Start up the entire cluster.

5.    If using multiple clusters,  restart each cluster.


A new configuration that this fix introduces for the security communication:

LSF_STRICT_CHECKING=ENHANCED


Note:

All daemons and commands need to set LSF_STRICT_CHECKING=ENHANCED to enable security communication. For now, only requests that have LSF authentication contain checksum.


Readme File for: IBM® Spectrum LSF

Product/Component Release: 10.1

Update Name: Fix 564668

Fix ID: LSF-10.1-build564668

Publication Date: Dec 23, 2020

Last Modified Date: Dec 23, 2020

Contents

1. List of Fixes

2. Download Location

3. Product or Components Affected

4. System Requirements

5. Installation and Configuration

6. List of Files

7. Product Notifications

8. Copyright and Trademark Information


1. List of Fixes

P103960


2. Download Locations

Download Fix 564668 from the following location: http://www.ibm.com/eserver/support/fixes/


3. Product or Components Affected

Affected product or components include:

LSF/bacct

LSF/bhpart 

LSF/bread 

LSF/bswitch 

LSF/bimages 

LSF/breboot 

LSF/btop 

LSF/bjdepinfo 

LSF/breconfig

LSF/bugroup

LSF/bjgroup 

LSF/brequeue 

LSF/busers 

LSF/bjobs 

LSF/bresize 

LSF/bwait 

LSF/battach 

LSF/bresources 

LSF/bkill 

LSF/brestart 

LSF/bapp 

LSF/blaunch 

LSF/bresume 

LSF/bbot 

LSF/brlainfo 

LSF/bclusters 

LSF/brsvdel 

LSF/blimits 

LSF/brsvjob 

LSF/brsvadd 

LSF/bctrld 

LSF/bmg 

LSF/brsvmod 

LSF/bentags 

LSF/bmgroup 

LSF/brsvs 

LSF/bgadd 

LSF/bmig 

LSF/brsvsub 

LSF/bgbroker 

LSF/bmod 

LSF/brun 

LSF/bgdel 

LSF/bgpinfo 

LSF/bpeek 

LSF/bstatus 

LSF/bhist 

LSF/bpost 

LSF/bstop 

LSF/bsub 

LSF/bhosts 

LSF/bqueues 

LSF/badmin 

LSF/bchkpnt 

LSF/bconf 

LSF/bsla 

LSF/bparams 

LSF/bslots 

LSF/bgmod 

LSF/bqc 

LSF/battr

LSF/lsacctmrg 

LSF/lslockhost 

LSF/lsadmin 

LSF/lslogin 

LSF/lsltasks 

LSF/lsclusters 

LSF/lsmail 

LSF/lsmake 

LSF/lseligible 

LSF/lsmakerm 

LSF/lsfrestart 

LSF/lsmon

LSF/lsfrsv 

LSF/lspasswd 

LSF/lsfshutdown 

LSF/lsrcp 

LSF/lsfstartup 

LSF/lsreghost 

LSF/lsreconfig 

LSF/lsrtasks 

LSF/lsgrun 

LSF/lsrun 

LSF/lshosts 

LSF/lsacct 

LSF/lsinfo 

LSF/lsid 

LSF/lsload 

LSF/lsf_daemons 

LSF/lsloadadj 

LSF/lsmail 

LSF/lstcsh 

LSF/lsplace 

LSF/lsunlockhost 

LSF/lsmake4

LSF/mesub 

LSF/echkpnt 

LSF/eadmin 

LSF/erestart 

LSF/augmentstarter 

LSF/TaskStarter 

LSF/zapit 

LSF/tspeektssub

LSF/egoconfig 

LSF/egoenv 

LSF/egoexec 

LSF/egosh 

LSF/egosc 

LSF/ego_client 

LSF/vemkd 

LSF/wsgserver 

LSF/named 

LSF/wsm 

LSF/execproxy 

LSF/utmpreg 

LSF/xagent 

LSF/resmig 

LSF/ch 

LSF/clnqs 

LSF/poejob 

LSF/ppmsetvar 

LSF/pipeclient 

LSF/preservestarter 

LSF/egogenkey 

LSF/egoapplykey

LSF/qrestart 

LSF/qrun 

LSF/qsa 

LSF/qsnapshot 

LSF/qsub 

LSF/lsportcheck 

LSF/qstat 

LSF/qwatch 

LSF/qdel 

LSF/qjlist 

LSF/qmapmgr 

LSF/qmgr 

LSF/qps 

LSF/qlimit

LSF/dnssec-keygen 

LSF/nqsi 

LSF/mpdstartup 

LSF/pmd_w 

LSF/pvmjob 

LSF/init_energy 

LSF/initialize_eas 

LSF/kubebridge 

LSF/parallelJob-controller 

LSF/batch-driver 

LSF/mbatchd 

LSF/mbschd 

LSF/sbatchd

LSF/res 

LSF/nios 

LSF/lim 

LSF/ebrokerd 

LSF/eauth 

LSF/krbrenewd 

LSF/mosquitto 

LSF/pim 

LSF/pem 

LSF/pam 

LSF/rla

LSF/gpolicyd

LSF/libbat.a

LSF/libbat.so

LSF/liblsf.so

LSF/liblsf.a

LSF/libbat.lib

LSF/libbatw2k.dll

LSF/liblsf.lib

LSF/liblsbstream.lib

LSF/liblsbstream.dll

LSF/liblsfdll.dll

LSF/liblsfw2k.lib

LSF/liblsfw2k.dll

LSF/libsched.dll

LSF/lsf.h

LSF/lsbatch.h

LSF/lssched.h



4. System Requirements

linux2.6-glibc2.3-x86_64

linux3.10-glibc2.17-x86_64

linux3.10-glibc2.17-ppc64le

win-x64

linux3.12-glibc2.17-armv8

aix-64

hpuxia64

x86-64-sol10

sparc-sol10-64

macosx


5. Installation and Configuration

5.1 Before installation

(LSF_TOP=Full path to the top-level installation directory of LSF.) 

1) Log on to the LSF master host as the LSF cluster primary administrator 

2) Set the LSF cluster environment: 

- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf 

- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf 

3)    Run 

       badmin hshutdown all

       badmin mbdrestart

       lsadmin resshutdown all

       lsadmin limshutdown all


5.2 Installation steps

1) Log on to the LSF master host as root and set the LSF cluster environment 

2) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/ 

3) Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/ 

4) Run patchinstall: ./patchinstall <patch> 


5.3 After installation

1) Log on to the LSF master host as the LSF cluster primary administrator and set the LSF cluster environment 

2) Set LSF_STRICT_CHECKING=ENHANCED in the lsf.conf file.

3) Run lsadmin limstartup all

4) Run lsadmin resstartup all 

5) Run badmin hstartup all 


5.4 Uninstallation

1) Log on to the LSF master host as the LSF cluster primary administrator and set the LSF cluster environment 

2) Run badmin hshutdown all

3) Run badmin mbdrestart 

4) Run lsadmin resshutdown all

5) Run lsadmin limshutdown all

6) Log on to the LSF master host as root and set the LSF cluster environment 

7) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/ 

8) Run ./patchinstall -r <patch> 

9) Log on to the LSF master host as the LSF cluster primary administrator and set the LSF cluster environment 

10) Run lsadmin limstartup all

11) Run lsadmin resstartup all

12) Run badmin hstartup all



6. List of Files

bacct

bhpart 

bread 

bswitch 

bimages 

breboot 

btop 

bjdepinfo 

breconfig

bugroup

bjgroup 

brequeue 

busers 

bjobs 

bresize 

bwait 

battach 

bresources 

bkill 

brestart 

bapp 

blaunch 

bresume 

bbot 

brlainfo 

bclusters 

brsvdel 

blimits 

brsvjob 

brsvadd 

bctrld 

bmg 

brsvmod 

bentags 

bmgroup 

brsvs 

bgadd 

bmig 

brsvsub 

bgbroker 

bmod 

brun 

bgdel 

bgpinfo 

bpeek 

bstatus 

bhist 

bpost 

bstop 

bsub 

bhosts 

bqueues 

badmin 

bchkpnt 

bconf 

bsla 

bparams 

bslots 

bgmod 

bqc 

battr

lsacctmrg 

lslockhost 

lsadmin 

lslogin 

lsltasks 

lsclusters 

lsmail 

lsmake 

lseligible 

lsmakerm 

lsfrestart 

lsmon

lsfrsv 

lspasswd 

lsfshutdown 

lsrcp 

lsfstartup 

lsreghost 

lsreconfig 

lsrtasks 

lsgrun 

lsrun 

lshosts 

lsacct 

lsinfo 

lsid 

lsload 

lsf_daemons 

lsloadadj 

lsmail 

lstcsh 

lsplace 

lsunlockhost 

lsmake4

mesub 

echkpnt 

eadmin 

erestart 

augmentstarter 

TaskStarter 

zapit 

tspeektssub

egoconfig 

egoenv 

egoexec 

egosh 

egosc 

ego_client 

vemkd 

wsgserver 

named 

wsm 

execproxy 

utmpreg 

xagent 

resmig 

ch 

clnqs 

poejob 

ppmsetvar 

pipeclient 

preservestarter 

egogenkey 

egoapplykey

qrestart 

qrun 

qsa 

qsnapshot 

qsub 

lsportcheck 

qstat 

qwatch 

qdel 

qjlist 

qmapmgr 

qmgr 

qps 

qlimit

dnssec-keygen 

nqsi 

mpdstartup 

pmd_w 

pvmjob 

init_energy 

initialize_eas 

kubebridge 

parallelJob-controller 

batch-driver 

mbatchd 

mbschd 

sbatchd 

res 

nios 

lim 

ebrokerd 

eauth 

krbrenewd 

mosquitto 

pim 

pem 

pam 

rla

gpolicyd

libbat.a

libbat.so

liblsf.a

liblsf.so

libbat.lib

libbatw2k.dll

liblsf.lib

liblsbstream.lib

liblsbstream.dll

liblsfdll.dll

liblsfw2k.lib

liblsfw2k.dll

libsched.dll

lsf.h

lsbatch.h

lssched.h


7. Product Notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page ( www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.



8. Copyright and Trademark Information

©Copyright IBM Corporation 2020


U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.