On Fri, 5 Jun 2015 22:16:12 +0000 Alex Chekholko <[email protected]> wrote:
> Hi all, > > I have a standard grid engine cluster (sge-8.1.8 tarball from Dave > Love's site) where users use qlogin to get interactive shells on compute > nodes, and we use a qlogin wrapper script to enable X11 forwarding, by > using sshd instead of builtin qlogin_daemon. > > Next, we'd like to limit SSH access to the compute nodes, except if a > user has a job running there. Right now, users can SSH to any node and > some are starting to abuse this. > > However, adding pam_sge_authorize to the sshd pam stack breaks my qlogin > wrapper, as it doesn't let the user ssh in for the qlogin job. > > Does anyone have something like this working? Maybe I'm missing > something simple. > > https://arc.liv.ac.uk/SGE/htmlman/htmlman8/pam_sge_authorize.html > > https://arc.liv.ac.uk/trac/SGE/browser/sge/source/3rdparty/tacc_pam_sge/pam_sge_authorize.c?rev=4811 > > I also don't quite understand what > https://arc.liv.ac.uk/SGE/htmlman/htmlman8/pam_sge-qrsh-setup.html > is for, no matter how many times I re-read those man pages. Do I need > both pam_sge-qrsh-setup and pam_sge_authorize? > pam_sge-qrsh-setup enables tight integration when using ssh which means grid engine can track usage and kill the job when it is finished. pam_sge_authorize is what you should use to allow access outside grid engine control by users with jobs on the node. Their usage is largely orthogonal. We don't allow users to log in to the nodes outside GE control at all so not tried pam_sge_authorize. Check that the execd_spool_dir is set correctly. Enable debug and see what the syslog records. One (untested) suggestion. You could have the qlogin sshd exec'd with -m to give it a different name and therefore presumably a different PAM config file. That would mean you could use pam_sge_authorize only on the regular sshd while using pam_sge-qrsh-setup for qlogin/qrsh. -- William Hay <[email protected]>
pgpkqUjUZyOi1.pgp
Description: PGP signature
_______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
