[slurm-users] slurm password -what is impact when changing it

[Michael Jennings]

On Monday, 14 September 2020, at 13:46:27 (+0000),
Braun, Ruth A wrote:

> Is there any issue if I set/change the slurm account password?    I'm running 19.05.x
> 
> Current state is locked but I have to reset it periodically:
> # passwd --status slurm
> slurm LK 2014-02-03 -1 -1 -1 -1 (Password locked.)

The short answer is:  Don't do that!

The longer answer is:  As long as your "slurm" user has something like
"/bin/false" or "/sbin/nologin" as their shell, it technically
shouldn't matter.  What's important is that it's impossible for anyone
to actually log in as that user; whichever technique(s) are used to
accomplish that should ultimately be fine, at least in theory....

But from a defense-in-depth perspective, you really shouldn't take any
action that *reduces* the protections in place for system accounts
like this one.  In addition to all the other security measures in use,
the "slurm" user -- if you even need one at all -- should not have
*any* password set; that way, it's completely impossible for anyone to
log into your system as user "slurm."

May I ask why you feel you need to reset user slurm's password
periodically?  It's really no different in principle from users like
"bin," "daemon," "adm," or even "uucp."  You don't assign passwords to
those accounts, do you?  (That would be very dangerous if you did!)
Is it perhaps a compliance requirement of some kind?  I know those can
be pretty draconian and inflexible at times....

My friend Alan Wild works in HPC for ExxonMobil; do you know him?  He
can probably help you navigate any compliance requirements or whatever
might be prompting you to do this; he's been managing TORQUE and Slurm
there for several years now. :-)

HTH,
Michael

-- 
Michael E. Jennings <mej at lanl.gov>
HPC Systems Team, Los Alamos National Laboratory
Bldg. 03-2327, Rm. 2341     W: +1 (505) 606-0605