[torqueusers] Authentication on cluster nodes
sternberg at anl.gov
Fri Apr 17 11:34:55 MDT 2009
You may want to increase the verbosity of ssh ("ssh -v -v -v
computenode") to see where it balks, and check the logs on the target
On RHEL/CentOS-5.2 compute nodes, I have the following as /etc/pam.d/
==== snip =========================================================
# PAM auth config for compute nodes to control access under torque.
# Overrides the "account" section and handles *everything else*
# by system-auth-ac.
# Based on system-auth-ac(5). See also:
# Install as /etc/pam.d/system-auth-pbs then:
# ln -s system-auth-pbs /etc/pam.d/system-auth
auth include system-auth-ac
#account sufficient pam_pbssimpleauth.so debug
account sufficient pam_pbssimpleauth.so
account required pam_access.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
==== snap =========================================================
FWIW, I use flat files for passwd/group, and *hostbased*
authentication across the compute nodes; their /etc/ssh/sshd_config has:
HostbasedAuthentication avoids the need to introduce additional
passwordless private user keys (which have a habit of getting used
where they shouldn't). sshd is understandably picky when using
Hostbased -- your [internal] DNS or /etc/hosts must work for both both
short and long (FQDN) host names and reverse lookups, and you need /
etc/hosts.equiv, writable by root only; cf. sshd_config(5).
On Apr 17, 2009, at 9:46 , Mary Ellen Fitzpatrick wrote:
> Yeah, makes sense. I installed on the compute nodes. Still can not
> when my job is running on a particular node. I believe it has to do
> with my sshd_config settings either on the user node or compute node.
> Garrick Staples wrote:
>> On Thu, Apr 16, 2009 at 01:58:42PM -0400, Mary Ellen Fitzpatrick
>>> Also, does the torque-package-pam-linux-x86_64.sh need to be
>>> on the compute nodes as well.
>> Whereever you want to use it, it needs to be installed.
>> Again, since it talks to pbs_mom, and it's function is to authorize
>> users that
>> have running jobs, it is only useful on compute nodes.
More information about the torqueusers