[slurm-users] pam_slurm_adopt not working for all users

Juergen Salk juergen.salk at uni-ulm.de
Fri May 21 15:35:00 UTC 2021

Hi Loris,

this depends largely on whether host-based authentication is
configured (which does not seem to be the case for you) and also on
how exactly the PAM stack for sshd looks like in /etc/pam.d/sshd.

As the rules are worked through in the order they appear in
/etc/pam.d/sshd, pam_slurm_adopt cannot bypass the rules that are
placed further up the PAM stack and that are responsible for 
regular authentication such as password or public key

Best regards

Jürgen Salk
Scientific Software & Compute Services (SSCS)
Kommunikations- und Informationszentrum (kiz)
Universität Ulm
Telefon: +49 (0)731 50-22478
Telefax: +49 (0)731 50-22471

* Loris Bennett <loris.bennett at fu-berlin.de> [210521 14:53]:
> Hi,
> We have set up pam_slurm_adopt using the official Slurm documentation
> and Ole's information on the subject.  It works for a user who has SSH
> keys set up, albeit the passphrase is needed:
>   $ salloc --partition=gpu --gres=gpu:1 --qos=hiprio --ntasks=1 --time=00:30:00 --mem=100
>   salloc: Granted job allocation 7202461
>   salloc: Waiting for resource configuration
>   salloc: Nodes g003 are ready for job
>   $ ssh g003
>   Warning: Permanently added 'g003' (ECDSA) to the list of known hosts.
>   Enter passphrase for key '/home/loris/.ssh/id_rsa':
>   Last login: Wed May  5 08:50:00 2021 from login.curta.zedat.fu-berlin.de
>   $ ssh g004
>   Warning: Permanently added 'g004' (ECDSA) to the list of known hosts.
>   Enter passphrase for key '/home/loris/.ssh/id_rsa':
>   Access denied: user loris (uid=182317) has no active jobs on this node.
>   Access denied by pam_slurm_adopt: you have no active jobs on this node
>   Authentication failed.
> If SSH keys are not set up, then the user is asked for a password:
>   $ squeue --me
>              7201647      main test_job nokeylee  R    3:45:24      1 c005
>              7201646      main test_job nokeylee  R    3:46:09      1 c005
>   $ ssh c005
>   Warning: Permanently added 'c005' (ECDSA) to the list of known hosts.
>   nokeylee at c005's password: 
> My assumption was that a user should be able to log into a node on which
> that person has a running job without any further ado, i.e. without the
> necessity to set up anything else or to enter any credentials.
> Is this assumption correct?
> If so, how can I best debug what I have done wrong?
> Cheers,
> Loris
> -- 
> Dr. Loris Bennett (Hr./Mr.)
> ZEDAT, Freie Universität Berlin         Email loris.bennett at fu-berlin.de

GPG A997BA7A | 87FC DA31 5F00 C885 0DC3  E28F BD0D 4B33 A997 BA7A

More information about the slurm-users mailing list