[slurm-users] pam_slurm_adopt not working for all users

Max Voit max.voit_mlsl at with-eyes.net
Tue May 25 17:10:34 UTC 2021

On Tue, 25 May 2021 14:09:54 +0200
"Loris Bennett" <loris.bennett at fu-berlin.de> wrote:

> to work with pam_slurm_adopt but without any SSH keys.  My assumption
> was that MUNGE takes care of the authentication, since users' jobs
> start on nodes with the need for keys.
> Can someone confirm that this expectation is wrong and, if possible,
> why the analogy with jobs is incorrect?

sshd uses PAM for authentication purposes only for the methods
"password" and "challenge-response". The remaining involvement of PAM
is limited to the "account" and "session" facilities (the latter of
which pam_slurm_adopt is associated with). Thus, if not using
"password" or "challenge-response" authentication in sshd, some other
authentication method has to be used (by sshd) which cannot possibly
rely on PAM.

On Tue, 25 May 2021 17:31:42 +0100
Tina Friedrich <tina.friedrich at it.ox.ac.uk> wrote:

> ...I really didn't want to wade in on this, but why not set up host 
> based ssh? It's not exactly as if passphraseless keys give better
> security?

Imho it's worse. With hostbased-authentication you do limit from where
which nodes of the cluster can be accessed (and this will usually be
restricted to "inside the cluster"). With passwordless key-pairs, in
contrast, passwordless access to the cluster from outside is possible
as soon as a generated private key is taken outside.

Best regards,

More information about the slurm-users mailing list