[slurm-users] Allow SFTP on a specific compute node

Burian, John John.Burian at nationwidechildrens.org
Tue Jul 12 11:59:35 UTC 2022 

Outside the context of slurm, you could add exceptions to /etc/security/access.conf. This depends on where pam_access.so appears in /etc/pam.d/sshd. I believe we’re using the config recommended in the pam_slurm_adopt documentation. There are a number of caveats: you need system root to configure it, not just slurm admin; it will allow SSH not just SFTP; pam_access.so appears in other PAM configurations, so be careful what else you’re allowing; it’s inconvenient if the set of users or set of nodes changes with any frequency.

We use this mechanism, and it works for us, because the users we’re allowing to bypass pam_slurm_adopt are HPC staff, not users.

John



From: slurm-users <slurm-users-bounces at lists.schedmd.com> on behalf of "Ratnasamy, Fritz" <fritz.ratnasamy at chicagobooth.edu>
Reply-To: Slurm User Community List <slurm-users at lists.schedmd.com>
Date: Tuesday, July 12, 2022 at 12:53 AM
To: Slurm User Community List <slurm-users at lists.schedmd.com>
Subject: [slurm-users] Allow SFTP on a specific compute node

Hello,   Currently, our cluster does not allow ssh to compute nodes for users unless they have  a running job on that compute node. I believe a system admin has set up a PAM module that does the block. Whn trying ssh, this is the message returned:
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
Search “email warning banner” on ANCHOR for more information
    Report Suspicious  <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/NiUAmZJ8c1GNWg!ZvBtiKgso1VmUdibyUXmK73T6bO1jdMi8FDqHjDAoKfi7SLF_4A45uHOcbdO0Ui1Q_uUTiRamcodJcr4C7EzuCu3t5zqVPexC1pwuzDTYWFcMDG1phdA7fUp4PlzAzej14brD04$>   ‌
ZjQcmQRYFpfptBannerEnd
Hello,

 Currently, our cluster does not allow ssh to compute nodes for users unless they have
a running job on that compute node. I believe a system admin has set up a PAM module
that does the block. Whn trying ssh, this is the message returned:
Access denied by pam_slurm_adopt: you have no active jobs on this node
Connection closed by 10.135.242.188 port 22

However, we would like to allow sftp on a specific compute node for specific users.
Any idea on how to do that?
Thanks,


Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20220712/8452a4db/attachment-0001.htm>

More information about the slurm-users mailing list