Commit eca47404 authored by Karl Kornel's avatar Karl Kornel
Browse files

ssh::pam: Support specifying a list of people who can bypass pam_slurm

parent b869d6b0
......@@ -7,11 +7,15 @@
#
# If you are using the SLURM job scheduler, setting $pam_slurm to true will
# cause user logins to be rejected unless they have a valid job allocation.
# In that case, you can set $pam_slurm_bypass to an absolute path, where all
# users listed in the file (one username per line) will not be checked. This
# is good so that admin users can continue to log in.
class ssh::pam (
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false
$pam_slurm = false,
$pam_slurm_bypass = 'NONE',
){
# Configure PAM for sshd on RHEL 6.
......
......@@ -31,14 +31,17 @@ account required pam_nologin.so
# access limits that are hard to express in sshd_config.
# account required pam_access.so
<% if @pam_slurm %>
<% if @pam_slurm_bypass != 'NONE' %>
# Allow access to SLURM compute nodes only if a user has an active job running
# there, but allow access to administrators using either their normal or .root
# identities.
# Bypass the pam_slurm check for certain people.
account [success=1 default=ignore] pam_listfile.so item=user sense=allow file=<%= @pam_slurm_bypass %> onerr=fail
<% end %>
account [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
# Allow access to SLURM compute nodes only if a user has an active job running
# there.
account required /lib/security/pam_slurm.so
<% end %>
# Standard Un*x authorization.
@include common-account
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment