Commit 10f188fd authored by Adam Seishas's avatar Adam Seishas Committed by Karl Kornel
Browse files

farmshare: Add support for pam_slurm

parent 4e9cb0b2
......@@ -15,8 +15,9 @@
# Default: false
class base::ssh(
$pam_afs = true,
$pam_duo = false
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false
){
# Install the openssh server package.
......@@ -33,10 +34,18 @@ class base::ssh(
}
}
# If we are using SLURM, install the module.
if $pam_slurm {
package { 'libpam-slurm':
ensure => installed,
}
}
# Setup /etc/pam.d/sshd to require Duo on regular logins.
class { 'ssh::pam':
pam_afs => $pam_afs,
pam_duo => $pam_duo,
pam_afs => $pam_afs,
pam_duo => $pam_duo,
pam_slurm => $pam_slurm,
}
# Our default ssh rules allow connections from all of campus. This is
......
......@@ -6,8 +6,9 @@
# Currently, only Debian is supported when $pam_duo is true.
class ssh::pam (
$pam_afs = true,
$pam_duo = false
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false
){
# Configure PAM for sshd on RHEL 6.
......
......@@ -30,7 +30,15 @@ account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
<% if @pam_slurm %>
# Allow access to SLURM compute nodes only if a user has an active job running
# there, but allow access to administrators using either their normal or .root
# identities.
account [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
account required /lib/security/pam_slurm.so
<% end %>
# Standard Un*x authorization.
@include common-account
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment