Configuration to modify external authentication

You can modify external authentication behavior by writing your own eauth executable. There are also configuration parameters that modify various aspects of external authentication behavior by:
  • Increasing security through the use of an external encryption key (recommended)

  • Specifying a trusted user account under which the eauth executable runs (UNIX and Linux only)

You can also choose Kerberos authentication to provide a secure data exchange during LSF user and daemon authentication and to forward credentials to a remote host for use during job execution.

Configuration to modify security


Parameter and syntax




  • The eauth executable uses the external encryption key that you define to encrypt and decrypt the credentials.

  • The key must contain at least six characters and must use only printable characters.

  • For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. You must also configure eauth as setuid to root so that eauth can read the lsf.sudoers file and obtain the value of LSF_EAUTH_KEY.

  • For Windows, you must edit the shared lsf.sudoers file.

Configuration to specify the eauth user account

On UNIX hosts, the eauth executable runs under the account of the primary LSF administrator. You can modify this behavior by specifying a different trusted user account. For Windows hosts, you do not need to modify the default behavior because eauth runs under the service account, which is always a trusted, secure account.


Parameter and syntax




  • UNIX only

  • The eauth executable runs under the account of the specified user rather than the account of the LSF primary administrator

  • You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name.

Configuration to modify Kerberos authentication

Kerberos authentication is supported only for UNIX and Linux hosts, and only on the following operating systems:
  • IRIX 6.5

  • Linux 2.x

  • Solaris 2.x

Configuration file

Parameter and syntax




  • Enables external authentication


  • Enables daemon authentication when external authentication is enabled


  • Controls the user Ticket Granting Ticket (TGT) forwarding feature


  • Specifies a directory in which Ticket Granting Ticket (TGT) for a running job is stored.


  • Sets a time interval for how long krbrenewd and root sbd should wait before the next check.


  • Specifies how long krbrenewd and root sbd have to renew Ticket Granting Ticket (TGT) before it expires.

LSB_KRB_LIB_PATH=path to krb5 lib

  • Specifies the Lib path that contains krb5 libs.


  • Makes bsub call eauth for each sub-pack.



  • for Kerberos authentication, the eauth executable must run under the root account

  • You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name. The Kerberos specific eauth is only used for user authentication or deamon authentication