[slurm-users] pam_slurm_adopt not working for all users

[Lloyd Brown]

While that's absolutely a significant issue, here's how we solved it, 
despite still using user keys. This basically assures that while people 
can SSH around with keys within our cluster, they get into the login 
nodes using SSH keys.  Combine that with the required enrollment in 2FA, 
and I think we're doing decently well.

Network routing rules and switch ACLs prevent users from getting into 
the non-login nodes from outside the cluster.


(excerpt from sshd_config on login nodes only - It's much simpler on 
non-login nodes):

>
> # default behavior - disallow PubKeyAuthentication
> PubKeyAuthentication no
>
> # default behavior - force people to the "you must enroll in 2FA" 
> message, and then exit
> ForceCommand /usr/local/bin/2fa_notice.sh
>
> #All users enrolled in 2FA, are part of the twofactusers group
> Match group twofactusers
>         ForceCommand none
>
> #Allow PubKeyAuthentication for subnets that are internal to the cluster
> Match Address ListOfClusterInternalSubnets
>         PubKeyAuthentication yes

Lloyd


On 5/27/21 9:27 AM, Michael Jennings wrote:
>
> As far as abuse of keys goes:  What's stopping your user from taking
> that private key you created for them (which is, as you recall,
> *unencrypted*) outside of your cluster to another host somewhere else
> on campus.  Maybe something that has tons of untrusted folks with
> root.  Then any of those folks can SSH to your cluster as that user.

-- 
Lloyd Brown
HPC Systems Administrator
Office of Research Computing
Brigham Young University
http://marylou.byu.edu