[torquedev] TORQUE PAM

Eygene Ryabinkin rea+maui at grid.kiae.ru
Wed Aug 18 12:34:25 MDT 2010


Wed, Aug 18, 2010 at 06:41:25AM -0600, Ken Nielson wrote:
> What about the server? Are there other ways to authenticate users
> without using the rsh (ruserok in particular) on pbs_server?

Ruserok() is about authorization, not authentication: you're passing
two usernames (that should be authenticated) and asking if an entry
exists in hosts.equiv -- so, you're asking if user A from host H is
authorized to act as user B.

On the other side, as I recall, authentication in Torque is based on
the privileged port/domain socket security that is rather mild.  And
the foundation of the authorization is authentication, so having weak
authN means that the best authZ can be easily fooled.

There is at least one good solution -- Munge,
  http://code.google.com/p/munge/
that is designed for the UID/GID authentication for the single (or
multiple) administrative realms.  It is used in Slurm and I must say
that we are happy with these solution (we're running some of our
clusters with Slurm as the batch system) -- we never had any problems
once the realm keys were properly generated and distributed.

On the other hand, there is Authd,
  http://www.theether.org/authd/
that uses simular technology to authenticate remote users.  This
software is used by Ganglia, so it should be pretty stable too.

> Is making pbs_server PAM aware something worth doing to allow users
> flexibility in setting up authentication?

Yes, because the patch from Joshua Bernstein and this thread,
  http://www.mailinglistarchive.com/html/torqueusers@supercluster.org/2010-06/msg00177.html
revealed that there are many situations where custom authZ solution
is needed, so making it pluggable via PAM should help people to write
external authorizators.

One can probably also wrap authentication using PAM, but standard
PAM authN plugins are interactive and reading the manual pages for
pam/pam_conv and the PAM page at OpenWall,
  http://www.openwall.com/pam/
I have the impression that authentication in PAM is designed to be
interactive.  And you want non-interactive means to assert (remote)
user's identity, so using Munge/Authd/etc is simpler, because these
tools were written precisely for this.
-- 
Eygene Ryabinkin, Russian Research Centre "Kurchatov Institute"


More information about the torquedev mailing list