Commit eca47404 authored by Karl Kornel's avatar Karl Kornel
Browse files

ssh::pam: Support specifying a list of people who can bypass pam_slurm

parent b869d6b0
...@@ -7,11 +7,15 @@ ...@@ -7,11 +7,15 @@
# #
# If you are using the SLURM job scheduler, setting $pam_slurm to true will # If you are using the SLURM job scheduler, setting $pam_slurm to true will
# cause user logins to be rejected unless they have a valid job allocation. # cause user logins to be rejected unless they have a valid job allocation.
# In that case, you can set $pam_slurm_bypass to an absolute path, where all
# users listed in the file (one username per line) will not be checked. This
# is good so that admin users can continue to log in.
class ssh::pam ( class ssh::pam (
$pam_afs = true, $pam_afs = true,
$pam_duo = false, $pam_duo = false,
$pam_slurm = false $pam_slurm = false,
$pam_slurm_bypass = 'NONE',
){ ){
# Configure PAM for sshd on RHEL 6. # Configure PAM for sshd on RHEL 6.
......
...@@ -31,14 +31,17 @@ account required pam_nologin.so ...@@ -31,14 +31,17 @@ account required pam_nologin.so
# access limits that are hard to express in sshd_config. # access limits that are hard to express in sshd_config.
# account required pam_access.so # account required pam_access.so
<% if @pam_slurm %> <% if @pam_slurm %>
<% if @pam_slurm_bypass != 'NONE' %>
# Allow access to SLURM compute nodes only if a user has an active job running # Bypass the pam_slurm check for certain people.
# there, but allow access to administrators using either their normal or .root account [success=1 default=ignore] pam_listfile.so item=user sense=allow file=<%= @pam_slurm_bypass %> onerr=fail
# identities. <% end %>
account [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail # Allow access to SLURM compute nodes only if a user has an active job running
# there.
account required /lib/security/pam_slurm.so account required /lib/security/pam_slurm.so
<% end %> <% end %>
# Standard Un*x authorization. # Standard Un*x authorization.
@include common-account @include common-account
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment