[torqueusers] disabling direct access to compute nodes
prakash.velayutham at cchmc.org
Fri Oct 5 13:16:23 MDT 2007
Use pam_authuser that comes with Torque distribution under contrib
folder. This works beautifully and lets a user access a node using
SSH only if he has a valid job running in that node. Otherwise he is
On Oct 5, 2007, at 3:08 PM, Ole Holm Nielsen wrote:
> Markus Seto wrote:
>> Hi, I've recently started fiddling with a torque installation, and
>> wondering if it's possible to disable direct access to the compute
>> from the master node. I've noticed some users cheating the system
>> directly logging into compute nodes to run jobs, and I want to
>> force them to
>> use the queue system, but I was told that direct access with ssh
>> keys is
>> needed for torque to run. any ideas?
> The low-tech bullet-proof method we use is to have separate login
> nodes for
> users. We restrict logins to the master server by using the
> option in /etc/ssh/sshd_config (see "man sshd_config") so that
> normal users
> can't login there.
> Now, the login nodes are on our public network, whereas all compute
> nodes are on a private network (the master server of course connects
> to both of these networks). Users on the login nodes can submit jobs
> etc., but they have NO way of ever communicating with the compute
> nodes !
> They can communicate with the master server, and that's it !
> Some people may think that the submit nodes must be able to
> with the compute nodes in order for the batch system to work, but that
> is just not true. Of course, your NFS filserver (if it's different
> the master server) must connect to both the private and the public
> as well.
> The disadvantages: With our setup interactive Torque jobs (qsub -I)
> are not possible. The workaround: If a few select users genuinely
> need interactive login access to the compute nodes, then we enable
> their login to the master server by adding them in the /etc/ssh/
> file. If you don't like to allow user logins to the master server,
> a dedicated login server with restricted logins could be made in stead
> with a second network card that connects to the private network.
> Best regards,
> torqueusers mailing list
> torqueusers at supercluster.org
More information about the torqueusers