[slurm-users] pam_slurm_adopt not working for all users

Juergen Salk juergen.salk at uni-ulm.de
Fri May 21 15:35:00 UTC 2021


Hi Loris,

this depends largely on whether host-based authentication is
configured (which does not seem to be the case for you) and also on
how exactly the PAM stack for sshd looks like in /etc/pam.d/sshd.

As the rules are worked through in the order they appear in
/etc/pam.d/sshd, pam_slurm_adopt cannot bypass the rules that are
placed further up the PAM stack and that are responsible for 
regular authentication such as password or public key
authentication.

Best regards
Jürgen

-- 
Jürgen Salk
Scientific Software & Compute Services (SSCS)
Kommunikations- und Informationszentrum (kiz)
Universität Ulm
Telefon: +49 (0)731 50-22478
Telefax: +49 (0)731 50-22471

* Loris Bennett <loris.bennett at fu-berlin.de> [210521 14:53]:
> Hi,
> 
> We have set up pam_slurm_adopt using the official Slurm documentation
> and Ole's information on the subject.  It works for a user who has SSH
> keys set up, albeit the passphrase is needed:
> 
>   $ salloc --partition=gpu --gres=gpu:1 --qos=hiprio --ntasks=1 --time=00:30:00 --mem=100
>   salloc: Granted job allocation 7202461
>   salloc: Waiting for resource configuration
>   salloc: Nodes g003 are ready for job
> 
>   $ ssh g003
>   Warning: Permanently added 'g003' (ECDSA) to the list of known hosts.
>   Enter passphrase for key '/home/loris/.ssh/id_rsa':
>   Last login: Wed May  5 08:50:00 2021 from login.curta.zedat.fu-berlin.de
> 
>   $ ssh g004
>   Warning: Permanently added 'g004' (ECDSA) to the list of known hosts.
>   Enter passphrase for key '/home/loris/.ssh/id_rsa':
>   Access denied: user loris (uid=182317) has no active jobs on this node.
>   Access denied by pam_slurm_adopt: you have no active jobs on this node
>   Authentication failed.
> 
> If SSH keys are not set up, then the user is asked for a password:
> 
>   $ squeue --me
>                JOBID PARTITION     NAME     USER ST       TIME  NODES NODELIST(REASON)
>              7201647      main test_job nokeylee  R    3:45:24      1 c005
>              7201646      main test_job nokeylee  R    3:46:09      1 c005
>   $ ssh c005
>   Warning: Permanently added 'c005' (ECDSA) to the list of known hosts.
>   nokeylee at c005's password: 
> 
> My assumption was that a user should be able to log into a node on which
> that person has a running job without any further ado, i.e. without the
> necessity to set up anything else or to enter any credentials.
> 
> Is this assumption correct?
> 
> If so, how can I best debug what I have done wrong?
> 
> Cheers,
> 
> Loris
> 
> -- 
> Dr. Loris Bennett (Hr./Mr.)
> ZEDAT, Freie Universität Berlin         Email loris.bennett at fu-berlin.de
> 

-- 
GPG A997BA7A | 87FC DA31 5F00 C885 0DC3  E28F BD0D 4B33 A997 BA7A



More information about the slurm-users mailing list