<div dir="ltr">Hi,<div><br></div><div>Can you please help me understand how the passwordless ssh works on SLURM?<br><br>I was under the assumption that jobs/tasks are ultimately submitted by the "slurm" linux user and not by the linux user who wants to run jobs. Is this not correct? So is it not sufficient for only the "slurm" linux user to have passwordless ssh access to all nodes? Why do we have to give passwordless ssh access to every user of the cluster?</div><div><br></div><div>Thanks,</div><div>Durai</div><div>Zentrum für Datenverarbeitung</div><div>Tübingen</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 8, 2020 at 6:43 PM Ole Holm Nielsen <<a href="mailto:Ole.H.Nielsen@fysik.dtu.dk">Ole.H.Nielsen@fysik.dtu.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 08-06-2020 18:07, Jeffrey T Frey wrote:<br>
> There's a Slurm PAM module you can use to gate ssh access -- basically it checks to see if the user has a job running on the node and moves any ssh sessions to the first cgroup associated with that user on that node. If you don't use cgroup resource limiting I think it just gates access w/o any such cgroup assignments.<br>
<br>
The pam_slurm_adopt[1] module is used by lots of Slurm sites for <br>
restricting access by SSH. See the discussion in<br>
<a href="https://wiki.fysik.dtu.dk/niflheim/Slurm_configuration#pam-module-restrictions" rel="noreferrer" target="_blank">https://wiki.fysik.dtu.dk/niflheim/Slurm_configuration#pam-module-restrictions</a><br>
<br>
/Ole<br>
<br>
[1] <a href="https://slurm.schedmd.com/pam_slurm_adopt.html" rel="noreferrer" target="_blank">https://slurm.schedmd.com/pam_slurm_adopt.html</a><br>
<br>
<br>
>> On Jun 8, 2020, at 12:01 , Durai Arasan <<a href="mailto:arasan.durai@gmail.com" target="_blank">arasan.durai@gmail.com</a>> wrote:<br>
>><br>
>> Hi Jeffrey,<br>
>><br>
>> Thanks for the clarification.<br>
>><br>
>> But this is concerning, as the users will be able to ssh into any node. How do you prevent that?<br>
>><br>
>> Best,<br>
>> Durai<br>
>><br>
>> On Mon, Jun 8, 2020 at 5:55 PM Jeffrey T Frey <<a href="mailto:frey@udel.edu" target="_blank">frey@udel.edu</a>> wrote:<br>
>> User home directories are on a shared (NFS) filesystem that's mounted on every node. Thus, they have the same id_rsa key and authorized_keys file present on all nodes.<br>
>><br>
>><br>
>><br>
>><br>
>>> On Jun 8, 2020, at 11:42 , Durai Arasan <<a href="mailto:arasan.durai@gmail.com" target="_blank">arasan.durai@gmail.com</a>> wrote:<br>
>>><br>
>>> Ok, that was useful information.<br>
>>><br>
>>> So when you provision user accounts, you add the public key to .ssh/authorized_keys of *all* nodes on the cluster? Not just the login nodes.. ?<br>
>>> When we provision user accounts on our Slurm cluster we still add .ssh, .ssh/id_rsa (needed for older X11 tunneling via libssh2), and add the public key to .ssh/authorized_keys.<br>
>>><br>
>>> Thanks,<br>
>>> Durai<br>
<br>
</blockquote></div>