[torquedev] TORQUE PAM

Michael Jennings mej at lbl.gov
Wed Aug 18 14:46:33 MDT 2010


On Wednesday, 18 August 2010, at 13:34:13 (-0700),
Joshua Bernstein wrote:

> I don't see a real reason to make the server PAM aware. If
> pbs_server runs on a master node, that also serves as a login node,
> then users have to be able to login to submit jobs anyway. Thats
> handled through NSS. If pbs_server runs on a management node, then
> users can't login there generally because of NSS.
> 
> In Scyld, since the compute nodes by default, can't be logged into
> the PAM functionality isn't required.

PAM is about authentication, not just login.  If one can envision a
scenario in which authenticating against the system credentials would
not be sufficient for access to the scheduling/batch system, then
server-side PAM would be valuable.

The arguments for One-Time Passwords come to mind here.  (And,
conveniently, OTP token systems tend to have PAM modules.)

Also, it would seem prudent to provide a facility to authenticate one
user as another user if also providing a facility for one user to run
jobs as another (qsub -u).  Authorization is necessary but perhaps not
sufficient.  Again, depends on the situation.

Michael

-- 
Michael Jennings <mej at lbl.gov>
Linux Systems and Cluster Engineer
High-Performance Computing Services
Bldg 50B-3209E      W: 510-495-2687
MS 050C-3396        F: 510-486-8615


More information about the torquedev mailing list