[slurm-users] ssh-keys on compute nodes?

Ole Holm Nielsen Ole.H.Nielsen at fysik.dtu.dk
Mon Jun 8 16:40:58 UTC 2020


On 08-06-2020 18:07, Jeffrey T Frey wrote:
> There's a Slurm PAM module you can use to gate ssh access -- basically it checks to see if the user has a job running on the node and moves any ssh sessions to the first cgroup associated with that user on that node.  If you don't use cgroup resource limiting I think it just gates access w/o any such cgroup assignments.

The pam_slurm_adopt[1] module is used by lots of Slurm sites for 
restricting access by SSH.  See the discussion in
https://wiki.fysik.dtu.dk/niflheim/Slurm_configuration#pam-module-restrictions

/Ole

[1] https://slurm.schedmd.com/pam_slurm_adopt.html


>> On Jun 8, 2020, at 12:01 , Durai Arasan <arasan.durai at gmail.com> wrote:
>>
>> Hi Jeffrey,
>>
>> Thanks for the clarification.
>>
>> But this is concerning, as the users will be able to ssh into any node. How do you prevent that?
>>
>> Best,
>> Durai
>>
>> On Mon, Jun 8, 2020 at 5:55 PM Jeffrey T Frey <frey at udel.edu> wrote:
>> User home directories are on a shared (NFS) filesystem that's mounted on every node.  Thus, they have the same id_rsa key and authorized_keys file present on all nodes.
>>
>>
>>
>>
>>> On Jun 8, 2020, at 11:42 , Durai Arasan <arasan.durai at gmail.com> wrote:
>>>
>>> Ok, that was useful information.
>>>
>>> So when you provision user accounts, you add the public key to .ssh/authorized_keys of *all* nodes on the cluster? Not just the login nodes.. ?
>>> When we provision user accounts on our Slurm cluster we still add .ssh, .ssh/id_rsa (needed for older X11 tunneling via libssh2), and add the public key to .ssh/authorized_keys.
>>>
>>> Thanks,
>>> Durai



More information about the slurm-users mailing list