[slurm-users] Temporarily bypassing pam_slurm_adopt.so
9 views
Skip to first unread message
Daniel L'Hommedieu via slurm-users
Jul 8, 2024, 4:56:38 PM (7 days ago) Jul 8
to slurm-users
Hi, all.
We have a use case where we need to allow a group of users (members of an LDAP group, which I can easily add to a Linux group) to SSH to a compute node, without disabling pam_slurm_adopt.so. Is there a way to do this? We can add users to the sudo group, which will bypass pam_slurm_adopt.so, but we do not want to grant sudo access to these users.
Is there any way to bypass for a group of users, pam_slurm_adopt.so without removing it from /etc/pam.d/sshd, and without adding them to the sudo group?
Thanks.
Daniel
--
slurm-users mailing list -- slurm...@lists.schedmd.com
To unsubscribe send an email to slurm-us...@lists.schedmd.com
We have a use case where we need to allow a group of users (members of an LDAP group, which I can easily add to a Linux group) to SSH to a compute node, without disabling pam_slurm_adopt.so. Is there a way to do this? We can add users to the sudo group, which will bypass pam_slurm_adopt.so, but we do not want to grant sudo access to these users.
Is there any way to bypass for a group of users, pam_slurm_adopt.so without removing it from /etc/pam.d/sshd, and without adding them to the sudo group?
Thanks.
Daniel
--
slurm-users mailing list -- slurm...@lists.schedmd.com
To unsubscribe send an email to slurm-us...@lists.schedmd.com
David Schanzenbach via slurm-users
Jul 8, 2024, 5:16:29 PM (7 days ago) Jul 8
to Daniel L'Hommedieu, slurm-users
Hi Daniel,
Utilizing pam_access with pam_slurm_adopt might be what you are looking for?
https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Thanks,
David
Utilizing pam_access with pam_slurm_adopt might be what you are looking for?
https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Thanks,
David
Chris Taylor via slurm-users
Jul 8, 2024, 5:49:53 PM (7 days ago) Jul 8
to David Schanzenbach, David Schanzenbach via slurm-users, Daniel L'Hommedieu
On my Rocky9 cluster I got this to work fine also-
Added at the end of /etc/pam.d/sshd:
account sufficient pam_listfile.so item=user sense=allow onerr=fail file=/etc/slurm/allowed_users_file
account required pam_slurm_adopt.so
I added a couple of usernames to /etc/slurm/allowed_users_file and they can SSH to the node without a job or allocation there.
Chris
> On 07/08/2024 2:07 PM PDT David Schanzenbach via slurm-users <slurm...@lists.schedmd.com> wrote:
>
>
> Hi Daniel,
>
> Utilizing pam_access with pam_slurm_adopt might be what you are looking for?
> https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
>
> Thanks,
> David
>
>
Added at the end of /etc/pam.d/sshd:
account sufficient pam_listfile.so item=user sense=allow onerr=fail file=/etc/slurm/allowed_users_file
account required pam_slurm_adopt.so
I added a couple of usernames to /etc/slurm/allowed_users_file and they can SSH to the node without a job or allocation there.
Chris
> On 07/08/2024 2:07 PM PDT David Schanzenbach via slurm-users <slurm...@lists.schedmd.com> wrote:
>
>
> Hi Daniel,
>
> Utilizing pam_access with pam_slurm_adopt might be what you are looking for?
> https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
>
> Thanks,
> David
>
>
Paul Edmon via slurm-users
Jul 9, 2024, 9:36:18 AM (7 days ago) Jul 9
to slurm...@lists.schedmd.com
We do this by adding groups/users to /etc/security/access.conf That
should grant normal ssh access assuming you still have pam_access.so
still in your sshd config. Note that if the user has a job on the node,
slurm will still shunt them into that job even with the access.conf
setting. So when the job ends the user's session will also end. However
if the user has no job on that node, then they can ssh as normal to that
host with out any problem.
-Paul Edmon-
should grant normal ssh access assuming you still have pam_access.so
still in your sshd config. Note that if the user has a job on the node,
slurm will still shunt them into that job even with the access.conf
setting. So when the job ends the user's session will also end. However
if the user has no job on that node, then they can ssh as normal to that
host with out any problem.
-Paul Edmon-
Timony, Mick via slurm-users
Jul 9, 2024, 2:50:10 PM (6 days ago) Jul 9
to slurm...@lists.schedmd.com, Paul Edmon
At HMS we do the same as Paul's cluster and specify the groups we want to have access to all our compute nodes, we allow two groups that represent our DevOps team and our Research Computing consultants to have access and then corresponding sudo rules for each
group to allow different command sets to be run.
The Slurm docs mentions how
/etc/security/access.conf could be configured at:
Here's an example of how
/etc/security/access.conf could be configured:
+ :sysadmin_group:ALL
+ :researchcomputing_group:ALL
# All other users should be denied to get access from all sources.
- :ALL:ALL
Kind regards
Mick
--
From: Paul Edmon via slurm-users <slurm...@lists.schedmd.com>
Sent: Tuesday, July 9, 2024 9:34 AM
To: slurm...@lists.schedmd.com <slurm...@lists.schedmd.com>
Subject: [slurm-users] Re: Temporarily bypassing pam_slurm_adopt.so
Sent: Tuesday, July 9, 2024 9:34 AM
To: slurm...@lists.schedmd.com <slurm...@lists.schedmd.com>
Subject: [slurm-users] Re: Temporarily bypassing pam_slurm_adopt.so
Reply all
Reply to author
Forward
0 new messages