[torqueusers] Authentication on cluster nodes

Michael Sternberg sternberg at anl.gov
Fri Apr 17 11:34:55 MDT 2009


You may want to increase the verbosity of ssh ("ssh -v -v -v  
computenode") to see where it balks, and check the logs on the target  
node.


On RHEL/CentOS-5.2 compute nodes, I have the following as /etc/pam.d/ 
system-auth-pbs :

==== snip =========================================================
# PAM auth config for compute nodes to control access under torque.
# Overrides the "account" section and handles *everything else*
# by system-auth-ac.
#
# Based on system-auth-ac(5).  See also:
# /usr/share/doc/torque-pam-*/README.pam
# /usr/share/doc/pam-*/txts/README.pam_unix
#
# Install as /etc/pam.d/system-auth-pbs then:
#       ln -s system-auth-pbs /etc/pam.d/system-auth

auth        include       system-auth-ac

#account     sufficient    pam_pbssimpleauth.so debug
account     sufficient    pam_pbssimpleauth.so
account     required      pam_access.so
account     include       system-auth-ac

password    include       system-auth-ac

session     include       system-auth-ac
==== snap =========================================================


FWIW, I use flat files for passwd/group, and *hostbased*  
authentication across the compute nodes; their /etc/ssh/sshd_config has:

	Protocol 2
	...
	HostbasedAuthentication yes
	IgnoreUserKnownHosts yes
	...
	UsePAM yes
	...

HostbasedAuthentication avoids the need to introduce additional  
passwordless private user keys (which have a habit of getting used  
where they shouldn't).  sshd is understandably picky when using  
Hostbased -- your [internal] DNS or /etc/hosts must work for both both  
short and long (FQDN) host names and reverse lookups, and you need / 
etc/hosts.equiv, writable by root only; cf. sshd_config(5).


Michael.


On Apr 17, 2009, at 9:46 , Mary Ellen Fitzpatrick wrote:
> Yeah, makes sense.  I installed on the compute nodes.  Still can not  
> ssh
> when my job is running on a particular node.  I believe it has to do
> with my sshd_config settings either on the user node or compute node.
>
> Garrick Staples wrote:
>>
>> On Thu, Apr 16, 2009 at 01:58:42PM -0400, Mary Ellen Fitzpatrick  
>> alleged:
>>> Also, does the torque-package-pam-linux-x86_64.sh need to be  
>>> installed
>>> on the compute nodes as well.
>>
>> Whereever you want to use it, it needs to be installed.
>>
>> Again, since it talks to pbs_mom, and it's function is to authorize  
>> users that
>> have running jobs, it is only useful on compute nodes.


More information about the torqueusers mailing list