
Manage Linux authentication key for HPC Pack


To address the critical vulnerability CVE-2025-21198, all HPC Pack 2016 clusters and HPC Pack 2019 Update 2 and earlier clusters must immediately apply the following steps to set a Linux authentication key on all head nodes and all Linux compute nodes. This includes any clusters that do not have Linux compute nodes at all. Clusters that are exclusively on Windows still need to set the Linux authentication key on all head nodes.

In addition, any newly-installed HPC Pack 2016 clusters and HPC Pack 2019 Update 2 and earlier clusters must immediately apply the following steps to set the Linux authentication key on the head node(s) and Linux compute nodes right after installation. This includes both clusters deployed via the installer and clusters deployed via ARM templates.

HPC Pack 2019 Update 3 and later clusters, whether deployed via installer or ARM templates, will set or generate Linux authentication keys by default during installation, and therefore would not require the following fix-up steps.

The Linux authentication key is a pre-shared key between HPC Pack head nodes and HPC Pack Linux compute nodes, securing communication between head nodes and compute nodes. It is a password string that can be of any length, containing alphanumeric characters or -, ., _, ~, +, / and = symbols.

The Linux authentication key setting is maintained separately on head nodes and each Linux compute node, and each node in the same cluster need to set the Linux authentication key to the same value.

Managing Linux authentication key on head node(s)


The authenticationKey parameter of the ARM template does not apply to head nodes of deployed HPC Pack 2019 Update 2 or earlier clusters, but will apply to all deployed Linux compute nodes regardless of cluster version. Users must immediately manually set the Linux authentication key on head nodes of HPC Pack 2019 Update 2 or earlier clusters deployed via ARM Template.

On each head node of the HPC Pack cluster, run Update-HpcLinuxAuthenticationKey.ps1 with the same AuthenticationKey parameter to set or update the Linux authentication key of head nodes. This script would set the cluster registry setting and update the built-in ARM template for Azure IaaS Linux nodes for pre-shared key propagation if needed.

In case if you find yourself needing to go back to the old (insecure) behavior for troubleshooting purposes, remove the [ValidateNotNullOrEmpty()] attribute of the AuthenticationKey parameter, then run the script with an empty string AuthenticationKey parameter.

If you have set the Linux authentication key already, run the following PowerShell command to retrieve the currently set Linux authentication key:

Get-HpcClusterRegistry -PropertyName ClusterAuthenticationKey

Managing Linux authentication key on Linux compute nodes


HPC Pack 2019 Update 2 and earlier clusters' setup.py script for on-premises Linux node installation does not accept the authenticationKey parameter. Users would need to update their setup.py script to perform on-prem Linux compute node installation.

Edit the configuration file of the Linux node agent, i.e. /opt/hpcnodemanager/nodemanager.json and add or update the ClusterAuthenticationKey option to be the Linux authentication key of the cluster, same as the one set on your head node(s). For example, you could use the following command line to change the configuration:

# back up the confiugration
cp /opt/hpcnodemanager/nodemanager.json /opt/hpcnodemanager/nodemanager_backup.json
jq '. + {ClusterAuthenticationKey: "your_value_here"}' /opt/hpcnodemanager/nodemanager.json > /opt/hpcnodemanager/nodemanager_updated.json
cat /opt/hpcnodemanager/nodemanager_updated.json > /opt/hpcnodemanager/nodemanager.json

Reboot the Linux compute node once the above change is applied.