ssh::pam: Support specifying a list of people who can bypass pam_slurm

manifests/ssh/pam.pp

@@ -7,11 +7,15 @@
 #
 # If you are using the SLURM job scheduler, setting $pam_slurm to true will
 # cause user logins to be rejected unless they have a valid job allocation.
+# In that case, you can set $pam_slurm_bypass to an absolute path, where all
+# users listed in the file (one username per line) will not be checked.  This
+# is good so that admin users can continue to log in.
 
 class ssh::pam (
-  $pam_afs   = true,
-  $pam_duo   = false,
-  $pam_slurm = false
+  $pam_afs          = true,
+  $pam_duo          = false,
+  $pam_slurm        = false,
+  $pam_slurm_bypass = 'NONE',
 ){
 
   # Configure PAM for sshd on RHEL 6.

templates/ssh/etc/pam.d/sshd.erb

@@ -31,14 +31,17 @@ account    required     pam_nologin.so
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
 <% if @pam_slurm %>
+<% if @pam_slurm_bypass != 'NONE' %>
 
-# Allow access to SLURM compute nodes only if a user has an active job running
-# there, but allow access to administrators using either their normal or .root
-# identities.
+# Bypass the pam_slurm check for certain people.
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=<%= @pam_slurm_bypass %> onerr=fail
+<% end %>
 
-account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+# Allow access to SLURM compute nodes only if a user has an active job running
+# there.
 account   required                       /lib/security/pam_slurm.so
 <% end %>
+
 # Standard Un*x authorization.
 @include common-account