CAUTION: Please test this on a test machine/VM before you actually do this on your slurm compute node.
Step 1. Make sure pam_listfile.so
exists on your system.
The following command is an example on Redhat 6:
ls -la /lib64/security/pam_listfile.so
Step 2. Create user list (e.g. /etc/ssh/allowed_users):
# /etc/ssh/allowed_users root myadmin
And, change file mode to keep it secret from regular users(Optional):
chmod 600 /etc/ssh/allowed_users
NOTE: root is not necessarily listed on the allowed_users, but I feel somewhat safe if it's on the list.
Step 3. On /etc/pam.d/sshd, add pam_listfile.so
with sufficient
flag before pam_slurm.so
(e.g. my /etc/pam.d/sshd looks like this):
#%PAM-1.0 auth required pam_sepermit.so auth include password-auth account sufficient pam_listfile.so item=user sense=allow file=/etc/ssh/allowed_users onerr=fail account required pam_slurm.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Done. Now your allowed users should be able to login to the compute node.