[torqueusers] How to restrict ssh-access to nodes a user allocated?

Thomas Zeiser thomas.zeiser at rrze.uni-erlangen.de
Thu Nov 24 13:27:52 MST 2005


Dear All,

what is the best way to restrict ssh access for ordinary users to
nodes which are currently assigned to any of their jobs?

I know there is the pam_authuser module and a similar approach
based on /etc/security/access.conf or /etc/security/limits.conf.
However, these two require modifications to some file by the prolog
and epilog scripts. With the [epi/pro]log*.parallel scripts this
might efficiently be doable even for parallel jobs, however, I
still do not feel very comfortable with this approach.

Wouldn't it be better to just ask the local MOM if a certain
ordinary user currently owns the node? This should not cause any
network traffic and thus be rather fast even for large clusters.
(Of course, administrators listed in some file [or netgroup] should
always be allowed to login. The same might be true if there is no
answer from the MOM ...).

Any ideas or other solutions?

(Completely knocking out users is not possible as first of all some
commercial codes depend on ssh to work for their bundled MPI to
work and secondly, users might want to see how much memory their
jobs use, look at local scratch files, etc.)

thomas
-- 
Dipl.-Ing. Thomas ZEISER
Regionales Rechenzentrum Erlangen, GERMANY


More information about the torqueusers mailing list