farmshare: Add support for pam_slurm

manifests/ssh.pp

@@ -15,8 +15,9 @@
 # Default: false
 
 class base::ssh(
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){
 
   # Install the openssh server package.
@@ -33,10 +34,18 @@ class base::ssh(
     }
   }
 
+  # If we are using SLURM, install the module.
+  if $pam_slurm {
+    package { 'libpam-slurm':
+      ensure => installed,
+    }
+  }
+
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
   class { 'ssh::pam':
-    pam_afs => $pam_afs,
-    pam_duo => $pam_duo,
+    pam_afs   => $pam_afs,
+    pam_duo   => $pam_duo,
+    pam_slurm => $pam_slurm,
   }
 
   # Our default ssh rules allow connections from all of campus.  This is

manifests/ssh/pam.pp

@@ -6,8 +6,9 @@
 # Currently, only Debian is supported when $pam_duo is true.
 
 class ssh::pam (
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){
 
   # Configure PAM for sshd on RHEL 6.

templates/ssh/etc/pam.d/sshd.erb

@@ -30,7 +30,15 @@ account    required     pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
+<% if @pam_slurm %>
 
+# Allow access to SLURM compute nodes only if a user has an active job running
+# there, but allow access to administrators using either their normal or .root
+# identities.
+
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+account   required                       /lib/security/pam_slurm.so
+<% end %>
 # Standard Un*x authorization.
 @include common-account