[torqueusers] How to configure Torque with PAM right? (and cpuset also!)

Gustavo Correa gus at ldeo.columbia.edu
Fri Dec 31 07:09:01 MST 2010


Hi Garrick

No, no changes, security.conf is comments only.

Many thanks,
Gus Correa

On Dec 31, 2010, at 12:09 AM, Garrick Staples wrote:

> The pam_access module is probably letting them in. Have you done anything with /etc/security/access.conf?
> 
> On Dec 30, 2010, at 7:35 PM, Gus Correa wrote:
> 
>> Garrick Staples wrote:
>>> On Mon, Dec 20, 2010 at 05:40:08PM -0500, Gus Correa alleged:
>>>> Hi Garrick
>>>> 
>>>> Many thanks for your very clear explanations, as usual.
>>>> 
>>>> 1) I will use the new PAM libraries as you suggested.
>>>> 
>>>> **
>>>> 
>>>> 2) I know asking for better documentation isn't good etiquette,
>>>> but since Santa Claus is coming to town, it may be worth trying.
>>>> 
>>>> The Torque Admin Manual, section 3.4 Host Security, only talks
>>>> about the old pam_authuser:
>>>> 
>>>> http://www.clusterresources.com/torquedocs21/3.4hostsecurity.shtml
>>>> 
>>>> It would be great to have it updated, perhaps to a writeup
>>>> extracted from your email, pointing to the new PAM,
>>>> or explaining how to setup either the new or the old PAM.
>>>> A few examples of pam config files for each version would be great also.
>>>> 
>>>> **
>>> 
>>> There are lots of ways to do this, this is one:
>>> 
>>> for pamfile in /etc/pam.d/*;do
>>>   echo "account    sufficient   pam_pbssimpleauth.so" >> $pamfile
>>> done
>>> for i in ftp login rlogin rsh sshd; do  
>>>   echo "account    required     pam_access.so" >>/etc/pam.d/$i
>>> done
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------
>>> 
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>> 
>> Hi list and Garrick
>> 
>> I built Torque 2.4.11 with pam, and
>> installed the mom, client, and pam packages in the compute nodes.
>> The pam_pbssimpleauth.[so,a,la] are there in /lib64/security.
>> 
>> I also modified the files in /etc/pam.d according to
>> the instructions you gave (see email above).
>> 
>> However, regular users continue to be able to ssh to compute nodes,
>> whether they have jobs running or not.
>> 
>> Ssh has keys in /etc/ssh/ssh_known_hosts2.
>> Standard password files.
>> The cluster is CentOS-based.
>> 
>> What else should I do to make pam_pbssimpleauth work as expected?
>> 
>> The thread below mentions the file /etc/pam.d/system-auth-pbs, which
>> doesn't exist in my /etc/pam.d:
>> http://www.clusterresources.com/pipermail/torqueusers/2009-April/008942.html
>> 
>> Is this what I am missing?
>> 
>> Many thanks and Happy New Year.
>> Gus Correa
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
> 
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers



More information about the torqueusers mailing list