CAUTION: Please test this on a test machine/VM before you actually do this on your slurm compute node.
Step 1. Make sure pam_listfile.so
exists on your system. The following command is an example on Redhat 6:
ls -la /lib64/security/pam_listfile.so
Step 2. Create user list (e.g. /etc/ssh/allowed_users):
# /etc/ssh/allowed_users
root
myadmin
And, change file mode to keep it secret from regular users(Optional):
chmod 600 /etc/ssh/allowed_users
NOTE: root is not necessarily listed on the allowed_users, but I feel somewhat safe if it's on the list.
Step 3. On /etc/pam.d/sshd, add pam_listfile.so
with sufficient
flag before pam_slurm.so
(e.g. my /etc/pam.d/sshd looks like this):
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account sufficient pam_listfile.so item=user sense=allow file=/etc/ssh/allowed_users onerr=fail
account required pam_slurm.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
Done. Now your allowed users should be able to login to the compute node.