[torqueusers] disabling direct access to compute nodes

Lloyd Brown somewhere_or_other at byu.edu
Fri Oct 5 08:45:55 MDT 2007

There are a couple of things you can do.  First, if you're using Linux 
(or anything else that uses the PAM stack for authentication), you can 
integrate the "pam_pbssimpleauth.so" PAM module that comes along with 
Torque.  Once that's in your nodes' PAM stack (we use account, 
sufficient), then the users will only be able to log into nodes where 
they have jobs running.  The downside is that once they're logged in, 
they won't get booted off.  You might have to cron something to do that.

Otherwise, you might want to look into launching tools like pbsdsh and 
the OSC mpiexec (http://www.osc.edu/~pw/mpiexec/index.php) that use the 
TM interface to launch.  I *THINK* that if you're using the TM interface 
to launch jobs/tasks then you don't have to allow normal users to log in 
at all, and you can just deny them with the use of the pam_access module 
and the corresponding /etc/security/access.conf entries.  You'd 
*definitely* want to test this before putting it into production, 
though.  Again, I'm sure this works on Linux, but outside of that, your 
mileage may vary.

Lloyd Brown

Markus Seto wrote:
> Hi, I've recently started fiddling with a torque installation, and was 
> wondering if it's possible to disable direct access to the compute 
> nodes from the master node.  I've noticed some users cheating the 
> system and directly logging into compute nodes to run jobs, and I want 
> to force them to use the queue system, but I was told that direct 
> access with ssh keys is needed for torque to run.  any ideas?
> markus
> ------------------------------------------------------------------------
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers

More information about the torqueusers mailing list