Compartir a través de

Manage Linux authentication key for HPC Pack

  • Artículo

Important

To address the critical vulnerability CVE-2025-21198, all HPC Pack 2016 clusters and HPC Pack 2019 Update 2 and earlier clusters must immediately apply the following steps to set a Linux authentication key on all head nodes and all Linux compute nodes. This includes any clusters that do not have Linux compute nodes at all. Clusters that are exclusively on Windows still need to set the Linux authentication key on all head nodes.

For backward compatibility reasons, the HPC Pack 2019 Update 3 patcher will NOT generate a Linux authentication key for existing clusters in order to not break connectivity between head node(s) and compute nodes. Users must manually add the Linux authentication key to their cluster and verify that their cluster is working before updating to Update 3.

In addition, any newly-installed HPC Pack 2016 clusters and HPC Pack 2019 Update 2 and earlier clusters must immediately apply the following steps to set the Linux authentication key on the head node(s) and Linux compute nodes right after installation. This includes both clusters deployed via the installer and clusters deployed via ARM templates.

HPC Pack 2019 Update 3 and later clusters, whether deployed via installer or ARM templates, will set or generate Linux authentication keys by default during installation, and therefore would not require the following fix-up steps.

The Linux authentication key is a pre-shared key between HPC Pack head nodes and HPC Pack Linux compute nodes, securing communication between head nodes and compute nodes. It is a password string that can be of any length, containing alphanumeric characters or -, ., _, ~, +, / and = symbols.

The Linux authentication key setting is maintained separately on head nodes and each Linux compute node, and each node in the same cluster need to set the Linux authentication key to the same value.

Managing Linux authentication key on head node(s)

Note

HPC Pack 2019 Update 3 and later's installer will automatically generate a new random Linux authentication key upon installation of new clusters, or use the user-specified Linux authentication key supplied via the authenticationKey ARM template parameter or the LinuxAuthenticationKey parameter to the unattended installer. There is no need to run the following steps for head nodes of freshly installed HPC Pack 2019 Update 3 or later clusters.

However, patching existing HPC Pack 2019 Update 2 or earlier clusters to Update 3 and later would not generate the Linux authentication key. Users should set the Linux authentication key according to the following steps and verify that any Linux compute nodes are still working before installing the Update 3 patch.

Note

The authenticationKey parameter of the ARM template does not apply to head nodes of deployed HPC Pack 2019 Update 2 or earlier clusters, but will apply and propagate to all deployed Linux compute nodes regardless of cluster version. Users must immediately manually set the Linux authentication key on head nodes of HPC Pack 2019 Update 2 or earlier clusters as soon as they are deployed via ARM Template.

On each head node of the HPC Pack cluster, run Update-HpcLinuxAuthenticationKey.ps1 with the same AuthenticationKey parameter to set or update the Linux authentication key of head nodes. This script would set the cluster registry setting and update the built-in ARM template for Azure IaaS Linux nodes for pre-shared key propagation if needed.

In case if you find yourself needing to go back to the old (insecure) behavior for troubleshooting purposes, remove the [ValidateNotNullOrEmpty()] attribute of the AuthenticationKey parameter, then run the script with an empty string AuthenticationKey parameter.

If you have set the Linux authentication key already, run the following PowerShell command to retrieve the currently set Linux authentication key:

Get-HpcClusterRegistry -PropertyName ClusterAuthenticationKey

Managing Linux authentication key on Linux compute nodes

Note

HPC Pack 2019 Update 2 and earlier clusters' setup.py script for on-premises Linux node installation does not accept the authenticationKey parameter. Users would need to update their setup.py script to perform on-prem Linux compute node installation.

Edit the configuration file of the Linux node agent, i.e. /opt/hpcnodemanager/nodemanager.json and add or update the ClusterAuthenticationKey option to be the Linux authentication key of the cluster, same as the one set on your head node(s). For example, you could use the following command line to change the configuration:

# back up the confiugration
cp /opt/hpcnodemanager/nodemanager.json /opt/hpcnodemanager/nodemanager_backup.json
jq '. + {ClusterAuthenticationKey: "your_value_here"}' /opt/hpcnodemanager/nodemanager.json > /opt/hpcnodemanager/nodemanager_updated.json
cat /opt/hpcnodemanager/nodemanager_updated.json > /opt/hpcnodemanager/nodemanager.json

In case if you find yourself needing to go back to the old (insecure) behavior for troubleshooting purposes, set ClusterAuthenticationKey to the empty string "".

Reboot the Linux compute node once the above change is applied.