[torqueusers] How to configure Torque with PAM right? (and cpuset also!)
Garrick Staples
garrick at usc.edu
Fri Dec 31 12:47:23 MST 2010
Then you should probably add a rule to deny users.
man pam_access
man access.conf
Mine has '-:ALL EXCEPT root @hpc-admins:ALL'
On Dec 31, 2010, at 6:09 AM, Gustavo Correa wrote:
> Hi Garrick
>
> No, no changes, security.conf is comments only.
>
> Many thanks,
> Gus Correa
>
> On Dec 31, 2010, at 12:09 AM, Garrick Staples wrote:
>
>> The pam_access module is probably letting them in. Have you done anything with /etc/security/access.conf?
>>
>> On Dec 30, 2010, at 7:35 PM, Gus Correa wrote:
>>
>>> Garrick Staples wrote:
>>>> On Mon, Dec 20, 2010 at 05:40:08PM -0500, Gus Correa alleged:
>>>>> Hi Garrick
>>>>>
>>>>> Many thanks for your very clear explanations, as usual.
>>>>>
>>>>> 1) I will use the new PAM libraries as you suggested.
>>>>>
>>>>> **
>>>>>
>>>>> 2) I know asking for better documentation isn't good etiquette,
>>>>> but since Santa Claus is coming to town, it may be worth trying.
>>>>>
>>>>> The Torque Admin Manual, section 3.4 Host Security, only talks
>>>>> about the old pam_authuser:
>>>>>
>>>>> http://www.clusterresources.com/torquedocs21/3.4hostsecurity.shtml
>>>>>
>>>>> It would be great to have it updated, perhaps to a writeup
>>>>> extracted from your email, pointing to the new PAM,
>>>>> or explaining how to setup either the new or the old PAM.
>>>>> A few examples of pam config files for each version would be great also.
>>>>>
>>>>> **
>>>>
>>>> There are lots of ways to do this, this is one:
>>>>
>>>> for pamfile in /etc/pam.d/*;do
>>>> echo "account sufficient pam_pbssimpleauth.so" >> $pamfile
>>>> done
>>>> for i in ftp login rlogin rsh sshd; do
>>>> echo "account required pam_access.so" >>/etc/pam.d/$i
>>>> done
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> torqueusers mailing list
>>>> torqueusers at supercluster.org
>>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>>
>>> Hi list and Garrick
>>>
>>> I built Torque 2.4.11 with pam, and
>>> installed the mom, client, and pam packages in the compute nodes.
>>> The pam_pbssimpleauth.[so,a,la] are there in /lib64/security.
>>>
>>> I also modified the files in /etc/pam.d according to
>>> the instructions you gave (see email above).
>>>
>>> However, regular users continue to be able to ssh to compute nodes,
>>> whether they have jobs running or not.
>>>
>>> Ssh has keys in /etc/ssh/ssh_known_hosts2.
>>> Standard password files.
>>> The cluster is CentOS-based.
>>>
>>> What else should I do to make pam_pbssimpleauth work as expected?
>>>
>>> The thread below mentions the file /etc/pam.d/system-auth-pbs, which
>>> doesn't exist in my /etc/pam.d:
>>> http://www.clusterresources.com/pipermail/torqueusers/2009-April/008942.html
>>>
>>> Is this what I am missing?
>>>
>>> Many thanks and Happy New Year.
>>> Gus Correa
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
>
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers
More information about the torqueusers
mailing list