Thank you Marcin and Michael. pam_listfile worked great. I leave the link to my note for someone who wants to do the same thing. https://gist.github.com/kjtanaka/e38eaf45b2255310033e
Best regards, Koji On Fri, Sep 25, 2015 at 2:18 AM, Michael Jennings <[email protected]> wrote: > > On Thu, Sep 24, 2015 at 9:18 PM, Koji Tanaka <[email protected]> wrote: > > > Is there a way to exclude some users from pam_slurm? > > > > I've successfully set up ssh restriction with using pam_slurm, but > there's > > one problem. When we deploy our system, we use a regular user > > account+sudo+ansible, instead of logging in as root. So if a compute node > > has a problem on slurm, the deploying-user won't be able to login to the > > node. The simple solution is to enable root ssh login, but is there a > way to > > exclude the deploy-user from pam_slurm restriction? > > Your best bet is probably to use pam_succeed_if.so to skip past > pam_slurm for that particular user. I've used this technique to set > up local authentication for the root user while authenticating > everyone else via OTP. Here's how that's done: > > #%PAM-1.0 > ... > auth [success=ignore default=1] pam_succeed_if.so quiet uid ne 0 > auth [success=done default=bad] pam_radius_auth.so > conf=/etc/raddb/server > auth include system-auth > ... > > This basically checks if the uid is 0, and if so, skips the next line. > If not, it continues with the next line. Then pam_radius_auth.so will > return success (and not process the next line) if the user > successfully authenticates via OTP and failure (again, not processing > the next line) if they don't. > > You should be able to use a very similar technique with pam_slurm.so > (using it as the 2nd line instead of pam_radius_auth.so). Just make > SURE you test the holy living hell out of it! PAM is wily, very easy > to get wrong, and can leave your system vulnerable if you do. All > warranties, express or implied, are hereby disclaimed! ;-) > > HTH, > Michael > > -- > Michael Jennings <[email protected]> > Senior HPC Systems Engineer > High-Performance Computing Services > Lawrence Berkeley National Laboratory > Bldg 50B-3209E W: 510-495-2687 > MS 050B-3209 F: 510-486-8615 >
