[slurm-users] Re: Temporarily bypassing pam_slurm_adopt.so

Tue, 09 Jul 2024 11:48:48 -0700 

At HMS we do the same as Paul's cluster and specify the groups we want to have 
access to all our compute nodes, we allow two groups that represent our DevOps 
team and our Research Computing consultants  to have access and then 
corresponding sudo rules for each group to allow different command sets to be 
run.

The Slurm docs mentions how /etc/security/access.conf​​ could be configured at:

https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access

Here's an example of how /etc/security/access.conf​ could be configured:


+ :sysadmin_group:ALL
+ :researchcomputing_group:ALL
# All other users should be denied to get access from all sources.
- :ALL:ALL

Kind regards
Mick

--

________________________________
From: Paul Edmon via slurm-users <slurm-users@lists.schedmd.com>
Sent: Tuesday, July 9, 2024 9:34 AM
To: slurm-users@lists.schedmd.com <slurm-users@lists.schedmd.com>
Subject: [slurm-users] Re: Temporarily bypassing pam_slurm_adopt.so

We do this by adding groups/users to /etc/security/access.conf That
should grant normal ssh access assuming you still have pam_access.so
still in your sshd config.  Note that if the user has a job on the node,
slurm will still shunt them into that job even with the access.conf
setting.  So when the job ends the user's session will also end. However
if the user has no job on that node, then they can ssh as normal to that
host with out any problem.

-Paul Edmon-

On 7/8/2024 5:48 PM, Chris Taylor via slurm-users wrote:
> On my Rocky9 cluster I got this to work fine also-
>
> Added at the end of /etc/pam.d/sshd:
>
> account    sufficient    pam_listfile.so item=user sense=allow onerr=fail 
> file=/etc/slurm/allowed_users_file
> account    required      pam_slurm_adopt.so
>
> I added a couple of usernames to /etc/slurm/allowed_users_file and they can 
> SSH to the node without a job or allocation there.
>
> Chris
>
>> On 07/08/2024 2:07 PM PDT David Schanzenbach via slurm-users 
>> <slurm-users@lists.schedmd.com> wrote:
>>
>>
>> Hi Daniel,
>>
>>   Utilizing pam_access with pam_slurm_adopt might be what you are looking 
>> for?
>>   https://slurm.schedmd.com/pam_slurm_adopt.html#admin_access
>>
>>   Thanks,
>>   David
>>
>>

--
slurm-users mailing list -- slurm-users@lists.schedmd.com
To unsubscribe send an email to slurm-users-le...@lists.schedmd.com

-- 
slurm-users mailing list -- slurm-users@lists.schedmd.com
To unsubscribe send an email to slurm-users-le...@lists.schedmd.com

Reply via email to