Skip to content

Instantly share code, notes, and snippets.

@kojiwell

kojiwell/exclude_specific_users_from_pam_slurm.rst

Created September 25, 2015 16:07
Show Gist options
  • Save kojiwell/e38eaf45b2255310033e to your computer and use it in GitHub Desktop.
Save kojiwell/e38eaf45b2255310033e to your computer and use it in GitHub Desktop.
Download ZIP
Exclude specific users from pam_slurm restriction
Raw
exclude_specific_users_from_pam_slurm.rst

CAUTION: Please test this on a test machine/VM before you actually do this on your slurm compute node.

Step 1. Make sure pam_listfile.so exists on your system. The following command is an example on Redhat 6:

ls -la /lib64/security/pam_listfile.so

Step 2. Create user list (e.g. /etc/ssh/allowed_users):

# /etc/ssh/allowed_users
root
myadmin

And, change file mode to keep it secret from regular users(Optional):

chmod 600 /etc/ssh/allowed_users

NOTE: root is not necessarily listed on the allowed_users, but I feel somewhat safe if it's on the list.

Step 3. On /etc/pam.d/sshd, add pam_listfile.so with sufficient flag before pam_slurm.so (e.g. my /etc/pam.d/sshd looks like this):

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    sufficient   pam_listfile.so item=user sense=allow file=/etc/ssh/allowed_users onerr=fail
account    required     pam_slurm.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Done. Now your allowed users should be able to login to the compute node.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment