Configuration to modify external authentication

You can modify external authentication behavior by writing your own eauth executable. There are also configuration parameters that modify various aspects of external authentication behavior by:

Increasing security through the use of an external encryption key (recommended)
Specifying a trusted user account under which the eauth executable runs (UNIX and Linux only)

You can also choose Kerberos authentication to provide a secure data exchange during LSF user and daemon authentication and to forward credentials to a remote host for use during job execution.

Configuration to modify security

File	Parameter and syntax	Descriptions
lsf.sudoers	LSF_EAUTH_KEY=`key`	The eauth executable uses the external encryption key that you define to encrypt and decrypt the credentials. The key must contain at least six characters and must use only printable characters. For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. You must also configure eauth as setuid to root so that eauth can read the lsf.sudoers file and obtain the value of LSF_EAUTH_KEY. For Windows, you must edit the shared lsf.sudoers file.

Configuration to specify the eauth user account

On UNIX hosts, the eauth executable runs under the account of the primary LSF administrator. You can modify this behavior by specifying a different trusted user account. For Windows hosts, you do not need to modify the default behavior because eauth runs under the service account, which is always a trusted, secure account.

File	Parameter and syntax	Description
lsf.sudoers	LSF_EAUTH_USER=`user_name`	UNIX only The eauth executable runs under the account of the specified user rather than the account of the LSF primary administrator You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name.

Configuration to modify Kerberos authentication

Kerberos authentication is supported only for UNIX and Linux hosts, and only on the following operating systems:

IRIX 6.5
Linux 2.x
Solaris 2.x

Configuration file	Parameter and syntax	Behavior
lsf.conf	LSF_AUTH=eauth	Enables external authentication
lsf.conf	LSF_AUTH_DAEMONS=1	Enables daemon authentication when external authentication is enabled
	LSB_KRB_TGT_FWD=Y\|y\|N\|n	Controls the user Ticket Granting Ticket (TGT) forwarding feature
	LSB_KRB_TGT_DIR=dir	Specifies a directory in which Ticket Granting Ticket (TGT) for a running job is stored.
	LSB_KRB_CHECK_INTERVAL=minutes	Sets a time interval for how long krbrenewd and root sbd should wait before the next check.
	LSB_KRB_RENEW_MARGIN=minutes	Specifies how long krbrenewd and root sbd have to renew Ticket Granting Ticket (TGT) before it expires.
	LSB_KRB_LIB_PATH=path to krb5 lib	Specifies the Lib path that contains krb5 libs.
	LSB_EAUTH_EACH_SUBPACK=Y\|y\|N\|n	Makes bsub call eauth for each sub-pack.
lsf.sudoers	LSF_EAUTH_USER=root	for Kerberos authentication, the eauth executable must run under the root account You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name. The Kerberos specific eauth is only used for user authentication or deamon authentication