[slurm-users] pam_slurm_adopt not working for all users
lloyd_brown at byu.edu
Thu May 27 16:08:04 UTC 2021
While that's absolutely a significant issue, here's how we solved it,
despite still using user keys. This basically assures that while people
can SSH around with keys within our cluster, they get into the login
nodes using SSH keys. Combine that with the required enrollment in 2FA,
and I think we're doing decently well.
Network routing rules and switch ACLs prevent users from getting into
the non-login nodes from outside the cluster.
(excerpt from sshd_config on login nodes only - It's much simpler on
> # default behavior - disallow PubKeyAuthentication
> PubKeyAuthentication no
> # default behavior - force people to the "you must enroll in 2FA"
> message, and then exit
> ForceCommand /usr/local/bin/2fa_notice.sh
> #All users enrolled in 2FA, are part of the twofactusers group
> Match group twofactusers
> ForceCommand none
> #Allow PubKeyAuthentication for subnets that are internal to the cluster
> Match Address ListOfClusterInternalSubnets
> PubKeyAuthentication yes
On 5/27/21 9:27 AM, Michael Jennings wrote:
> As far as abuse of keys goes: What's stopping your user from taking
> that private key you created for them (which is, as you recall,
> *unencrypted*) outside of your cluster to another host somewhere else
> on campus. Maybe something that has tons of untrusted folks with
> root. Then any of those folks can SSH to your cluster as that user.
HPC Systems Administrator
Office of Research Computing
Brigham Young University
More information about the slurm-users