[slurm-dev] Re: pam_slurm: how can I exclude some users from pam_slurm?

2015-09-25 Thread Koji Tanaka 
Thank you Marcin and Michael. pam_listfile worked great. I leave the link
to my note for someone who wants to do the same thing.
https://gist.github.com/kjtanaka/e38eaf45b2255310033e

Best regards,
Koji

On Fri, Sep 25, 2015 at 2:18 AM, Michael Jennings  wrote:

>
> On Thu, Sep 24, 2015 at 9:18 PM, Koji Tanaka  wrote:
>
> > Is there a way to exclude some users from pam_slurm?
> >
> > I've successfully set up ssh restriction with using pam_slurm, but
> there's
> > one problem. When we deploy our system, we use a regular user
> > account+sudo+ansible, instead of logging in as root. So if a compute node
> > has a problem on slurm, the deploying-user won't be able to login to the
> > node. The simple solution is to enable root ssh login, but is there a
> way to
> > exclude the deploy-user from pam_slurm restriction?
>
> Your best bet is probably to use pam_succeed_if.so to skip past
> pam_slurm for that particular user.  I've used this technique to set
> up local authentication for the root user while authenticating
> everyone else via OTP.  Here's how that's done:
>
> #%PAM-1.0
> ...
> auth   [success=ignore default=1]  pam_succeed_if.so quiet uid ne 0
> auth   [success=done default=bad]  pam_radius_auth.so
> conf=/etc/raddb/server
> auth   include  system-auth
> ...
>
> This basically checks if the uid is 0, and if so, skips the next line.
> If not, it continues with the next line.  Then pam_radius_auth.so will
> return success (and not process the next line) if the user
> successfully authenticates via OTP and failure (again, not processing
> the next line) if they don't.
>
> You should be able to use a very similar technique with pam_slurm.so
> (using it as the 2nd line instead of pam_radius_auth.so).  Just make
> SURE you test the holy living hell out of it!  PAM is wily, very easy
> to get wrong, and can leave your system vulnerable if you do.  All
> warranties, express or implied, are hereby disclaimed!  ;-)
>
> HTH,
> Michael
>
> --
> Michael Jennings 
> Senior HPC Systems Engineer
> High-Performance Computing Services
> Lawrence Berkeley National Laboratory
> Bldg 50B-3209EW: 510-495-2687
> MS 050B-3209  F: 510-486-8615
>

[slurm-dev] Re: pam_slurm: how can I exclude some users from pam_slurm?

2015-09-25 Thread Michael Jennings 

On Thu, Sep 24, 2015 at 9:18 PM, Koji Tanaka  wrote:

> Is there a way to exclude some users from pam_slurm?
>
> I've successfully set up ssh restriction with using pam_slurm, but there's
> one problem. When we deploy our system, we use a regular user
> account+sudo+ansible, instead of logging in as root. So if a compute node
> has a problem on slurm, the deploying-user won't be able to login to the
> node. The simple solution is to enable root ssh login, but is there a way to
> exclude the deploy-user from pam_slurm restriction?

Your best bet is probably to use pam_succeed_if.so to skip past
pam_slurm for that particular user.  I've used this technique to set
up local authentication for the root user while authenticating
everyone else via OTP.  Here's how that's done:

#%PAM-1.0
...
auth   [success=ignore default=1]  pam_succeed_if.so quiet uid ne 0
auth   [success=done default=bad]  pam_radius_auth.so conf=/etc/raddb/server
auth   include  system-auth
...

This basically checks if the uid is 0, and if so, skips the next line.
If not, it continues with the next line.  Then pam_radius_auth.so will
return success (and not process the next line) if the user
successfully authenticates via OTP and failure (again, not processing
the next line) if they don't.

You should be able to use a very similar technique with pam_slurm.so
(using it as the 2nd line instead of pam_radius_auth.so).  Just make
SURE you test the holy living hell out of it!  PAM is wily, very easy
to get wrong, and can leave your system vulnerable if you do.  All
warranties, express or implied, are hereby disclaimed!  ;-)

HTH,
Michael

-- 
Michael Jennings 
Senior HPC Systems Engineer
High-Performance Computing Services
Lawrence Berkeley National Laboratory
Bldg 50B-3209EW: 510-495-2687
MS 050B-3209  F: 510-486-8615

[slurm-dev] Re: pam_slurm: how can I exclude some users from pam_slurm?

2015-09-25 Thread Marcin Stolarek 
pam_listfile before pam_slurm with "sufficient" key word in pam.d/ssh
configuration?

cheers,
marcin

2015-09-25 6:18 GMT+02:00 Koji Tanaka :

> Hello Slurm Community,
>
> Is there a way to exclude some users from pam_slurm?
>
> I've successfully set up ssh restriction with using pam_slurm, but there's
> one problem. When we deploy our system, we use a regular user
> account+sudo+ansible, instead of logging in as root. So if a compute node
> has a problem on slurm, the deploying-user won't be able to login to the
> node. The simple solution is to enable root ssh login, but is there a way
> to exclude the deploy-user from pam_slurm restriction?
>
> Thank you and best regards,
> Koji
>