Hi, all.
We have a use case where we need to allow a group of users (members of an LDAP group, which I can easily add to a Linux group) to SSH to a compute node, without disabling pam_slurm_adopt.so. Is there a way to do this? We can add users to the sudo group, which will bypass pam_slurm_adopt.so, but we do not want to grant sudo access to these users.
Is there any way to bypass for a group of users, pam_slurm_adopt.so without removing it from /etc/pam.d/sshd, and without adding them to the sudo group?
Thanks.
Daniel
Hi Daniel,
Utilizing pam_access with pam_slurm_adopt might be what you are looking for? https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Thanks, David
On 7/8/2024 10:54 AM, Daniel L'Hommedieu via slurm-users wrote:
Hi, all.
We have a use case where we need to allow a group of users (members of an LDAP group, which I can easily add to a Linux group) to SSH to a compute node, without disabling pam_slurm_adopt.so. Is there a way to do this? We can add users to the sudo group, which will bypass pam_slurm_adopt.so, but we do not want to grant sudo access to these users.
Is there any way to bypass for a group of users, pam_slurm_adopt.so without removing it from /etc/pam.d/sshd, and without adding them to the sudo group?
Thanks.
Daniel
On my Rocky9 cluster I got this to work fine also-
Added at the end of /etc/pam.d/sshd:
account sufficient pam_listfile.so item=user sense=allow onerr=fail file=/etc/slurm/allowed_users_file account required pam_slurm_adopt.so
I added a couple of usernames to /etc/slurm/allowed_users_file and they can SSH to the node without a job or allocation there.
Chris
On 07/08/2024 2:07 PM PDT David Schanzenbach via slurm-users slurm-users@lists.schedmd.com wrote:
Hi Daniel,
Utilizing pam_access with pam_slurm_adopt might be what you are looking for? https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Thanks, David
We do this by adding groups/users to /etc/security/access.conf That should grant normal ssh access assuming you still have pam_access.so still in your sshd config. Note that if the user has a job on the node, slurm will still shunt them into that job even with the access.conf setting. So when the job ends the user's session will also end. However if the user has no job on that node, then they can ssh as normal to that host with out any problem.
-Paul Edmon-
On 7/8/2024 5:48 PM, Chris Taylor via slurm-users wrote:
On my Rocky9 cluster I got this to work fine also-
Added at the end of /etc/pam.d/sshd:
account sufficient pam_listfile.so item=user sense=allow onerr=fail file=/etc/slurm/allowed_users_file account required pam_slurm_adopt.so
I added a couple of usernames to /etc/slurm/allowed_users_file and they can SSH to the node without a job or allocation there.
Chris
On 07/08/2024 2:07 PM PDT David Schanzenbach via slurm-users slurm-users@lists.schedmd.com wrote:
Hi Daniel,
Utilizing pam_access with pam_slurm_adopt might be what you are looking for? https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Thanks, David
At HMS we do the same as Paul's cluster and specify the groups we want to have access to all our compute nodes, we allow two groups that represent our DevOps team and our Research Computing consultants to have access and then corresponding sudo rules for each group to allow different command sets to be run.
The Slurm docs mentions how /etc/security/access.conf could be configured at:
https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Here's an example of how /etc/security/access.conf could be configured:
+ :sysadmin_group:ALL + :researchcomputing_group:ALL # All other users should be denied to get access from all sources. - :ALL:ALL
Kind regards Mick
--
________________________________ From: Paul Edmon via slurm-users slurm-users@lists.schedmd.com Sent: Tuesday, July 9, 2024 9:34 AM To: slurm-users@lists.schedmd.com slurm-users@lists.schedmd.com Subject: [slurm-users] Re: Temporarily bypassing pam_slurm_adopt.so
We do this by adding groups/users to /etc/security/access.conf That should grant normal ssh access assuming you still have pam_access.so still in your sshd config. Note that if the user has a job on the node, slurm will still shunt them into that job even with the access.conf setting. So when the job ends the user's session will also end. However if the user has no job on that node, then they can ssh as normal to that host with out any problem.
-Paul Edmon-
On 7/8/2024 5:48 PM, Chris Taylor via slurm-users wrote:
On my Rocky9 cluster I got this to work fine also-
Added at the end of /etc/pam.d/sshd:
account sufficient pam_listfile.so item=user sense=allow onerr=fail file=/etc/slurm/allowed_users_file account required pam_slurm_adopt.so
I added a couple of usernames to /etc/slurm/allowed_users_file and they can SSH to the node without a job or allocation there.
Chris
On 07/08/2024 2:07 PM PDT David Schanzenbach via slurm-users slurm-users@lists.schedmd.com wrote:
Hi Daniel,
Utilizing pam_access with pam_slurm_adopt might be what you are looking for? https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
Thanks, David
-- slurm-users mailing list -- slurm-users@lists.schedmd.com To unsubscribe send an email to slurm-users-leave@lists.schedmd.com
-
Chris Taylor -
Daniel L'Hommedieu -
David Schanzenbach -
Paul Edmon -
Timony, Mick