From 10f188fdb1b0c431f886dff46e7f1f5463901559 Mon Sep 17 00:00:00 2001
From: Adam Seishas <aseishas@stanford.edu>
Date: Tue, 1 Nov 2016 17:44:21 -0700
Subject: [PATCH] farmshare: Add support for pam_slurm

---
 manifests/ssh.pp                 | 17 +++++++++++++----
 manifests/ssh/pam.pp             |  5 +++--
 templates/ssh/etc/pam.d/sshd.erb |  8 ++++++++
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 2ca3a5f..8c396b4 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -15,8 +15,9 @@
 # Default: false
 
 class base::ssh(
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){
 
   # Install the openssh server package.
@@ -33,10 +34,18 @@ class base::ssh(
     }
   }
 
+  # If we are using SLURM, install the module.
+  if $pam_slurm {
+    package { 'libpam-slurm':
+      ensure => installed,
+    }
+  }
+
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
   class { 'ssh::pam':
-    pam_afs => $pam_afs,
-    pam_duo => $pam_duo,
+    pam_afs   => $pam_afs,
+    pam_duo   => $pam_duo,
+    pam_slurm => $pam_slurm,
   }
 
   # Our default ssh rules allow connections from all of campus.  This is
diff --git a/manifests/ssh/pam.pp b/manifests/ssh/pam.pp
index b9a8dd7..53ea1fd 100644
--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -6,8 +6,9 @@
 # Currently, only Debian is supported when $pam_duo is true.
 
 class ssh::pam (
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){
 
   # Configure PAM for sshd on RHEL 6.
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 5625053..7e00d60 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -30,7 +30,15 @@ account    required     pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
+<% if @pam_slurm %>
 
+# Allow access to SLURM compute nodes only if a user has an active job running
+# there, but allow access to administrators using either their normal or .root
+# identities.
+
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+account   required                       /lib/security/pam_slurm.so
+<% end %>
 # Standard Un*x authorization.
 @include common-account
 
-- 
GitLab