[torqueusers] PAM best practices

Ti Leggett leggett at mcs.anl.gov
Thu Aug 18 09:03:26 MDT 2011

Here's relevant PAM configs from one of our computes. admin.pads is our cluster administrative management node (i.e., how we push out all new updates and config changes).

$ cat /etc/security/access.conf 
+:root wheel:LOCAL
+:root wheel:admin.pads admin-172.pads
-:root wheel:ALL
+:@admins @pads-admins:@bastions @pads-login admin.pads

$ cat /etc/security/limits.conf 
# /etc/security/limits.conf

# Increase the number of open files
*               -       nofile          65536

# Allow unlimited locked in memory
*               -       memlock         unlimited

# Allow unlimited stack size
*               -       stack           unlimited

$ cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_nologin.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_pbssimpleauth.so
account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5.so

On Aug 17, 2011, at 5:51 PM, Rick McKay wrote:

> Greetings,
> Ken Nielson and I are in the process of reviewing the TORQUE documentation for PAM; we'd appreciate feedback about best practices, in order to update the docs to reflect this. Your recommendations on implementation and usage of PAM and TORQUE (or anything else related to this) will undoubtedly help.
> Thanks in advance,
> Rick
> Rick McKay
> rmckay at adaptivecomputing.com
> rickmckay at gmail.com
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers

More information about the torqueusers mailing list