Commit 10f188fd authored by Adam Seishas's avatar Adam Seishas Committed by Karl Kornel
Browse files

farmshare: Add support for pam_slurm

parent 4e9cb0b2
...@@ -15,8 +15,9 @@ ...@@ -15,8 +15,9 @@
# Default: false # Default: false
class base::ssh( class base::ssh(
$pam_afs = true, $pam_afs = true,
$pam_duo = false $pam_duo = false,
$pam_slurm = false
){ ){
# Install the openssh server package. # Install the openssh server package.
...@@ -33,10 +34,18 @@ class base::ssh( ...@@ -33,10 +34,18 @@ class base::ssh(
} }
} }
# If we are using SLURM, install the module.
if $pam_slurm {
package { 'libpam-slurm':
ensure => installed,
}
}
# Setup /etc/pam.d/sshd to require Duo on regular logins. # Setup /etc/pam.d/sshd to require Duo on regular logins.
class { 'ssh::pam': class { 'ssh::pam':
pam_afs => $pam_afs, pam_afs => $pam_afs,
pam_duo => $pam_duo, pam_duo => $pam_duo,
pam_slurm => $pam_slurm,
} }
# Our default ssh rules allow connections from all of campus. This is # Our default ssh rules allow connections from all of campus. This is
......
...@@ -6,8 +6,9 @@ ...@@ -6,8 +6,9 @@
# Currently, only Debian is supported when $pam_duo is true. # Currently, only Debian is supported when $pam_duo is true.
class ssh::pam ( class ssh::pam (
$pam_afs = true, $pam_afs = true,
$pam_duo = false $pam_duo = false,
$pam_slurm = false
){ ){
# Configure PAM for sshd on RHEL 6. # Configure PAM for sshd on RHEL 6.
......
...@@ -30,7 +30,15 @@ account required pam_nologin.so ...@@ -30,7 +30,15 @@ account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex # Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config. # access limits that are hard to express in sshd_config.
# account required pam_access.so # account required pam_access.so
<% if @pam_slurm %>
# Allow access to SLURM compute nodes only if a user has an active job running
# there, but allow access to administrators using either their normal or .root
# identities.
account [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
account required /lib/security/pam_slurm.so
<% end %>
# Standard Un*x authorization. # Standard Un*x authorization.
@include common-account @include common-account
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment