Hi Marco, It looks like the online faq doesn't go into detail on the specific config for limiting ssh access; there is a README in the the contribs/pam directory which mentions adding the pam module to /etc/pam.d/system-auth which may adding to the confusion as this doesn't appear to be sufficient on a reasonably vanilla CentOS 6.3 distribution.
We've always used the sshd config on RHEL6.x boxes and haven't had a problem so that's why I mentioned it. A previous poster also mentioned adding the slurm pam module to /etc/pam.d/password-auth and this also works on CentOS 6.3. -k On Mar 7, 2013, at 4:30 AM, Marco Passerini wrote: > > Hi, > > Thanks for the link, unfortunately the instructions in that page didn't > work for my system. Only once I added the following line to > /etc/pam.d/sshd the system worked correctly: > > account required pam_slurm.so > > I could find no instructions in those pages about editing the > /etc/pam.d/sshd file, maybe they should be reviewed. > > > > > On 2013-03-07 01:38, Moe Jette wrote: >> >> See the Slurm documents at schedmd.com. They are two years newer than >> the documents at llnl.gov >> >> www.schedmd.com/slurmdocs/faq.html#pam >> >> >> >> Quoting Marco Passerini <[email protected]>: >> >>> >>> Hi, >>> >>> That did the trick, many thanks! >>> >>> May I ask you, why did it work? >>> >>> In another of our systems (Centos5, slurm-2.3.2) PAM is working >>> properly, and we have the pam_slurm entry only in these files: >>> [root@n1 ~]# find /etc/pam.d/ | xargs grep slurm >>> /etc/pam.d/system-auth-ac:account required >>> /lib64/security/pam_slurm.so >>> /etc/pam.d/system-auth:account required >>> /lib64/security/pam_slurm.so >>> >>> And then we have the /etc/pam.d/slurm file. >>> >>> >>> I couldn't find the /etc/pam.d/sshd mention in this guide: >>> http://lists.schedmd.com/cgi-bin/dada/mail.cgi/r/slurmdev/112511956494/ >>> >>> >>> >>> >>> On 2013-03-06 17:11, Karl Schulz wrote: >>>> >>>> I may have missed it, but did you update your pam config for sshd? >>>> >>>> # grep slurm /etc/pam.d/sshd >>>> account required /lib64/security/pam_slurm.so >>>> >>>> -k >>>> >>>> On Mar 6, 2013, at 7:48 AM, Marco Passerini <[email protected]> >>>> wrote: >>>> >>>>> >>>>> Hi, >>>>> >>>>> I'm configuring a new cluster, with the latest development version of >>>>> Slurm. I'd like to have PAM configured to normally prevent users from >>>>> logging into the compute nodes, and allow them to log into the nodes >>>>> only when they have a valid allocation. I tried to configure Slurm-PAM >>>>> but it didn't work. >>>>> >>>>> The computing nodes run CentOS 6.3, are configured in the following way: >>>>> >>>>> [root@c2 ~]# rpm -qa | grep slurm >>>>> slurm-devel-2.6.0-0pre1.el6.x86_64 >>>>> slurm-lua-2.6.0-0pre1.el6.x86_64 >>>>> slurm-sql-2.6.0-0pre1.el6.x86_64 >>>>> slurm-slurmdbd-2.4.3-1.el6.x86_64 >>>>> slurm-plugins-2.6.0-0pre1.el6.x86_64 >>>>> slurm-pam_slurm-2.6.0-0pre1.el6.x86_64 >>>>> slurm-munge-2.6.0-0pre1.el6.x86_64 >>>>> slurm-spank-x11-debuginfo-0.2.5-1.x86_64 >>>>> slurm-2.6.0-0pre1.el6.x86_64 >>>>> slurm-sjobexit-2.6.0-0pre1.el6.x86_64 >>>>> slurm-sjstat-2.6.0-0pre1.el6.x86_64 >>>>> slurm-perlapi-2.6.0-0pre1.el6.x86_64 >>>>> slurm-torque-2.6.0-0pre1.el6.x86_64 >>>>> slurm-spank-x11-0.2.5-1.x86_64 >>>>> >>>>> [root@c2 ~]# rpm -ql slurm-pam_slurm >>>>> /lib64/security/pam_slurm.so >>>>> >>>>> [root@c2 ~]# cat /etc/pam.d/slurm >>>>> auth required pam_localuser.so >>>>> account required pam_unix.so >>>>> session required pam_limits.so >>>>> >>>>> >>>>> [root@c2 ~]# cat /etc/pam.d/system-auth >>>>> #%PAM-1.0 >>>>> # This file is auto-generated. >>>>> # User changes will be destroyed the next time authconfig is run. >>>>> auth required pam_env.so >>>>> auth sufficient pam_unix.so try_first_pass nullok >>>>> auth required pam_deny.so >>>>> >>>>> account required pam_unix.so broken_shadow >>>>> account required pam_slurm.so >>>>> >>>>> password requisite pam_cracklib.so try_first_pass retry=3 type= >>>>> password sufficient pam_unix.so try_first_pass use_authtok nullok >>>>> sha512 shadow >>>>> password required pam_deny.so >>>>> >>>>> session optional pam_keyinit.so revoke >>>>> session required pam_limits.so >>>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>>> crond quiet use_uid >>>>> session required pam_unix.so >>>>> >>>>> >>>>> [root@c2 ~]# ls -lah /etc/pam.d/slurm >>>>> -rw-r--r-- 1 root root 101 Aug 8 2012 /etc/pam.d/slurm >>>>> >>>>> [root@c2 ~]# ls -lah /etc/pam.d/system-auth >>>>> -rw-r--r-- 1 root root 745 Aug 8 2012 /etc/pam.d/system-auth >>>>> >>>>> >>>>> [root@c2 ~]# cat /etc/slurm/slurm.conf | grep -i pam >>>>> UsePAM=1 >>>>> >>>>> [root@c2 ~]# cat /etc/slurm/slurm.conf | grep -i PropagateRes >>>>> PropagateResourceLimitsExcept=MEMLOCK,RLIMIT_AS,RLIMIT_CPU,RLIMIT_NPROC,RLIMIT_CORE,RLIMIT_DATA,RLIMIT_RSS,STACK >>>>> >>>>> There's a copy of my ssh-key in the .ssh/authorized_keys in my home >>>>> folder. >>>>> >>>>> On the nodes there's my user identity in /etc/passwd and /etc/group, but >>>>> there's not shadow file. >>>>> >>>>> If I login with my account to a node I can enter with no problems and >>>>> /var/log/secure says the following: >>>>> >>>>> Mar 6 15:22:35 c2 sshd[64542]: Accepted publickey for myusername from >>>>> 10.10.0.13 port 54821 ssh2 >>>>> Mar 6 15:22:35 c2 sshd[64542]: pam_unix(sshd:session): session opened >>>>> for user myusername by (uid=0) >>>>> >>>>> So, how can I prevent normal users to enter into the nodes if there's no >>>>> allocation? Am I doing something wrong? >>>>> >>>>> Thanks in advance, >>>>> Marco
