[slurm-dev] Re: pam_slurm: how can I exclude some users from pam_slurm?
Thank you Marcin and Michael. pam_listfile worked great. I leave the link to my note for someone who wants to do the same thing. https://gist.github.com/kjtanaka/e38eaf45b2255310033e Best regards, Koji On Fri, Sep 25, 2015 at 2:18 AM, Michael Jenningswrote: > > On Thu, Sep 24, 2015 at 9:18 PM, Koji Tanaka wrote: > > > Is there a way to exclude some users from pam_slurm? > > > > I've successfully set up ssh restriction with using pam_slurm, but > there's > > one problem. When we deploy our system, we use a regular user > > account+sudo+ansible, instead of logging in as root. So if a compute node > > has a problem on slurm, the deploying-user won't be able to login to the > > node. The simple solution is to enable root ssh login, but is there a > way to > > exclude the deploy-user from pam_slurm restriction? > > Your best bet is probably to use pam_succeed_if.so to skip past > pam_slurm for that particular user. I've used this technique to set > up local authentication for the root user while authenticating > everyone else via OTP. Here's how that's done: > > #%PAM-1.0 > ... > auth [success=ignore default=1] pam_succeed_if.so quiet uid ne 0 > auth [success=done default=bad] pam_radius_auth.so > conf=/etc/raddb/server > auth include system-auth > ... > > This basically checks if the uid is 0, and if so, skips the next line. > If not, it continues with the next line. Then pam_radius_auth.so will > return success (and not process the next line) if the user > successfully authenticates via OTP and failure (again, not processing > the next line) if they don't. > > You should be able to use a very similar technique with pam_slurm.so > (using it as the 2nd line instead of pam_radius_auth.so). Just make > SURE you test the holy living hell out of it! PAM is wily, very easy > to get wrong, and can leave your system vulnerable if you do. All > warranties, express or implied, are hereby disclaimed! ;-) > > HTH, > Michael > > -- > Michael Jennings > Senior HPC Systems Engineer > High-Performance Computing Services > Lawrence Berkeley National Laboratory > Bldg 50B-3209EW: 510-495-2687 > MS 050B-3209 F: 510-486-8615 >
[slurm-dev] Re: pam_slurm: how can I exclude some users from pam_slurm?
On Thu, Sep 24, 2015 at 9:18 PM, Koji Tanakawrote: > Is there a way to exclude some users from pam_slurm? > > I've successfully set up ssh restriction with using pam_slurm, but there's > one problem. When we deploy our system, we use a regular user > account+sudo+ansible, instead of logging in as root. So if a compute node > has a problem on slurm, the deploying-user won't be able to login to the > node. The simple solution is to enable root ssh login, but is there a way to > exclude the deploy-user from pam_slurm restriction? Your best bet is probably to use pam_succeed_if.so to skip past pam_slurm for that particular user. I've used this technique to set up local authentication for the root user while authenticating everyone else via OTP. Here's how that's done: #%PAM-1.0 ... auth [success=ignore default=1] pam_succeed_if.so quiet uid ne 0 auth [success=done default=bad] pam_radius_auth.so conf=/etc/raddb/server auth include system-auth ... This basically checks if the uid is 0, and if so, skips the next line. If not, it continues with the next line. Then pam_radius_auth.so will return success (and not process the next line) if the user successfully authenticates via OTP and failure (again, not processing the next line) if they don't. You should be able to use a very similar technique with pam_slurm.so (using it as the 2nd line instead of pam_radius_auth.so). Just make SURE you test the holy living hell out of it! PAM is wily, very easy to get wrong, and can leave your system vulnerable if you do. All warranties, express or implied, are hereby disclaimed! ;-) HTH, Michael -- Michael Jennings Senior HPC Systems Engineer High-Performance Computing Services Lawrence Berkeley National Laboratory Bldg 50B-3209EW: 510-495-2687 MS 050B-3209 F: 510-486-8615
[slurm-dev] Re: pam_slurm: how can I exclude some users from pam_slurm?
pam_listfile before pam_slurm with "sufficient" key word in pam.d/ssh configuration? cheers, marcin 2015-09-25 6:18 GMT+02:00 Koji Tanaka: > Hello Slurm Community, > > Is there a way to exclude some users from pam_slurm? > > I've successfully set up ssh restriction with using pam_slurm, but there's > one problem. When we deploy our system, we use a regular user > account+sudo+ansible, instead of logging in as root. So if a compute node > has a problem on slurm, the deploying-user won't be able to login to the > node. The simple solution is to enable root ssh login, but is there a way > to exclude the deploy-user from pam_slurm restriction? > > Thank you and best regards, > Koji >