[torqueusers] How to configure Torque with PAM right? (and cpuset also!)

Garrick Staples garrick at usc.edu
Fri Dec 31 12:47:23 MST 2010


Then you should probably add a rule to deny users.

man pam_access
man access.conf

Mine has '-:ALL EXCEPT root @hpc-admins:ALL'


On Dec 31, 2010, at 6:09 AM, Gustavo Correa wrote:

> Hi Garrick
> 
> No, no changes, security.conf is comments only.
> 
> Many thanks,
> Gus Correa
> 
> On Dec 31, 2010, at 12:09 AM, Garrick Staples wrote:
> 
>> The pam_access module is probably letting them in. Have you done anything with /etc/security/access.conf?
>> 
>> On Dec 30, 2010, at 7:35 PM, Gus Correa wrote:
>> 
>>> Garrick Staples wrote:
>>>> On Mon, Dec 20, 2010 at 05:40:08PM -0500, Gus Correa alleged:
>>>>> Hi Garrick
>>>>> 
>>>>> Many thanks for your very clear explanations, as usual.
>>>>> 
>>>>> 1) I will use the new PAM libraries as you suggested.
>>>>> 
>>>>> **
>>>>> 
>>>>> 2) I know asking for better documentation isn't good etiquette,
>>>>> but since Santa Claus is coming to town, it may be worth trying.
>>>>> 
>>>>> The Torque Admin Manual, section 3.4 Host Security, only talks
>>>>> about the old pam_authuser:
>>>>> 
>>>>> http://www.clusterresources.com/torquedocs21/3.4hostsecurity.shtml
>>>>> 
>>>>> It would be great to have it updated, perhaps to a writeup
>>>>> extracted from your email, pointing to the new PAM,
>>>>> or explaining how to setup either the new or the old PAM.
>>>>> A few examples of pam config files for each version would be great also.
>>>>> 
>>>>> **
>>>> 
>>>> There are lots of ways to do this, this is one:
>>>> 
>>>> for pamfile in /etc/pam.d/*;do
>>>>  echo "account    sufficient   pam_pbssimpleauth.so" >> $pamfile
>>>> done
>>>> for i in ftp login rlogin rsh sshd; do  
>>>>  echo "account    required     pam_access.so" >>/etc/pam.d/$i
>>>> done
>>>> 
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------
>>>> 
>>>> _______________________________________________
>>>> torqueusers mailing list
>>>> torqueusers at supercluster.org
>>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>> 
>>> Hi list and Garrick
>>> 
>>> I built Torque 2.4.11 with pam, and
>>> installed the mom, client, and pam packages in the compute nodes.
>>> The pam_pbssimpleauth.[so,a,la] are there in /lib64/security.
>>> 
>>> I also modified the files in /etc/pam.d according to
>>> the instructions you gave (see email above).
>>> 
>>> However, regular users continue to be able to ssh to compute nodes,
>>> whether they have jobs running or not.
>>> 
>>> Ssh has keys in /etc/ssh/ssh_known_hosts2.
>>> Standard password files.
>>> The cluster is CentOS-based.
>>> 
>>> What else should I do to make pam_pbssimpleauth work as expected?
>>> 
>>> The thread below mentions the file /etc/pam.d/system-auth-pbs, which
>>> doesn't exist in my /etc/pam.d:
>>> http://www.clusterresources.com/pipermail/torqueusers/2009-April/008942.html
>>> 
>>> Is this what I am missing?
>>> 
>>> Many thanks and Happy New Year.
>>> Gus Correa
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>> 
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
> 
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers



More information about the torqueusers mailing list