[torqueusers] Authentication on cluster nodes

Michael Sternberg sternberg at anl.gov
Fri Apr 17 11:34:55 MDT 2009

You may want to increase the verbosity of ssh ("ssh -v -v -v  
computenode") to see where it balks, and check the logs on the target  

On RHEL/CentOS-5.2 compute nodes, I have the following as /etc/pam.d/ 
system-auth-pbs :

==== snip =========================================================
# PAM auth config for compute nodes to control access under torque.
# Overrides the "account" section and handles *everything else*
# by system-auth-ac.
# Based on system-auth-ac(5).  See also:
# /usr/share/doc/torque-pam-*/README.pam
# /usr/share/doc/pam-*/txts/README.pam_unix
# Install as /etc/pam.d/system-auth-pbs then:
#       ln -s system-auth-pbs /etc/pam.d/system-auth

auth        include       system-auth-ac

#account     sufficient    pam_pbssimpleauth.so debug
account     sufficient    pam_pbssimpleauth.so
account     required      pam_access.so
account     include       system-auth-ac

password    include       system-auth-ac

session     include       system-auth-ac
==== snap =========================================================

FWIW, I use flat files for passwd/group, and *hostbased*  
authentication across the compute nodes; their /etc/ssh/sshd_config has:

	Protocol 2
	HostbasedAuthentication yes
	IgnoreUserKnownHosts yes
	UsePAM yes

HostbasedAuthentication avoids the need to introduce additional  
passwordless private user keys (which have a habit of getting used  
where they shouldn't).  sshd is understandably picky when using  
Hostbased -- your [internal] DNS or /etc/hosts must work for both both  
short and long (FQDN) host names and reverse lookups, and you need / 
etc/hosts.equiv, writable by root only; cf. sshd_config(5).


On Apr 17, 2009, at 9:46 , Mary Ellen Fitzpatrick wrote:
> Yeah, makes sense.  I installed on the compute nodes.  Still can not  
> ssh
> when my job is running on a particular node.  I believe it has to do
> with my sshd_config settings either on the user node or compute node.
> Garrick Staples wrote:
>> On Thu, Apr 16, 2009 at 01:58:42PM -0400, Mary Ellen Fitzpatrick  
>> alleged:
>>> Also, does the torque-package-pam-linux-x86_64.sh need to be  
>>> installed
>>> on the compute nodes as well.
>> Whereever you want to use it, it needs to be installed.
>> Again, since it talks to pbs_mom, and it's function is to authorize  
>> users that
>> have running jobs, it is only useful on compute nodes.

More information about the torqueusers mailing list