farmshare: Add support for pam_slurm

10f188fd · Adam Seishas · Karl Kornel · 4e9cb0b2 · 10f188fd · 10f188fd
Commit 10f188fd authored Nov 01, 2016 by Adam Seishas Committed by Karl Kornel Dec 12, 2016
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -15,8 +15,9 @@
 # Default: false

 class base::ssh(
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){

  # Install the openssh server package.
@@ -33,10 +34,18 @@ class base::ssh(
    }
  }

+  # If we are using SLURM, install the module.
+  if $pam_slurm {
+    package { 'libpam-slurm':
+      ensure => installed,
+    }
+  }
+
  # Setup /etc/pam.d/sshd to require Duo on regular logins.
  class { 'ssh::pam':
-    pam_afs => $pam_afs,
-    pam_duo => $pam_duo,
+    pam_afs   => $pam_afs,
+    pam_duo   => $pam_duo,
+    pam_slurm => $pam_slurm,
  }

  # Our default ssh rules allow connections from all of campus.  This is

--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -6,8 +6,9 @@
 # Currently, only Debian is supported when $pam_duo is true.

 class ssh::pam (
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){

  # Configure PAM for sshd on RHEL 6.

--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -30,7 +30,15 @@ account    required     pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
+<% if @pam_slurm %>

+# Allow access to SLURM compute nodes only if a user has an active job running
+# there, but allow access to administrators using either their normal or .root
+# identities.
+
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+account   required                       /lib/security/pam_slurm.so
+<% end %>
 # Standard Un*x authorization.
 @include common-account