[torquedev] TORQUE PAM
mej at lbl.gov
Wed Aug 18 14:46:33 MDT 2010
On Wednesday, 18 August 2010, at 13:34:13 (-0700),
Joshua Bernstein wrote:
> I don't see a real reason to make the server PAM aware. If
> pbs_server runs on a master node, that also serves as a login node,
> then users have to be able to login to submit jobs anyway. Thats
> handled through NSS. If pbs_server runs on a management node, then
> users can't login there generally because of NSS.
> In Scyld, since the compute nodes by default, can't be logged into
> the PAM functionality isn't required.
PAM is about authentication, not just login. If one can envision a
scenario in which authenticating against the system credentials would
not be sufficient for access to the scheduling/batch system, then
server-side PAM would be valuable.
The arguments for One-Time Passwords come to mind here. (And,
conveniently, OTP token systems tend to have PAM modules.)
Also, it would seem prudent to provide a facility to authenticate one
user as another user if also providing a facility for one user to run
jobs as another (qsub -u). Authorization is necessary but perhaps not
sufficient. Again, depends on the situation.
Michael Jennings <mej at lbl.gov>
Linux Systems and Cluster Engineer
High-Performance Computing Services
Bldg 50B-3209E W: 510-495-2687
MS 050C-3396 F: 510-486-8615
More information about the torquedev