From eca474044de32610e818cdcd017c7400fb5e80d3 Mon Sep 17 00:00:00 2001
From: "A. Karl Kornel" <akkornel@stanford.edu>
Date: Mon, 12 Dec 2016 10:42:41 -0800
Subject: [PATCH] ssh::pam: Support specifying a list of people who can bypass
 pam_slurm

---
 manifests/ssh/pam.pp             | 10 +++++++---
 templates/ssh/etc/pam.d/sshd.erb | 11 +++++++----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/manifests/ssh/pam.pp b/manifests/ssh/pam.pp
index 3e9bca2..0774a2c 100644
--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -7,11 +7,15 @@
 #
 # If you are using the SLURM job scheduler, setting $pam_slurm to true will
 # cause user logins to be rejected unless they have a valid job allocation.
+# In that case, you can set $pam_slurm_bypass to an absolute path, where all
+# users listed in the file (one username per line) will not be checked.  This
+# is good so that admin users can continue to log in.
 
 class ssh::pam (
-  $pam_afs   = true,
-  $pam_duo   = false,
-  $pam_slurm = false
+  $pam_afs          = true,
+  $pam_duo          = false,
+  $pam_slurm        = false,
+  $pam_slurm_bypass = 'NONE',
 ){
 
   # Configure PAM for sshd on RHEL 6.
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 7e00d60..5b148ad 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -31,14 +31,17 @@ account    required     pam_nologin.so
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
 <% if @pam_slurm %>
+<% if @pam_slurm_bypass != 'NONE' %>
 
-# Allow access to SLURM compute nodes only if a user has an active job running
-# there, but allow access to administrators using either their normal or .root
-# identities.
+# Bypass the pam_slurm check for certain people.
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=<%= @pam_slurm_bypass %> onerr=fail
+<% end %>
 
-account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+# Allow access to SLURM compute nodes only if a user has an active job running
+# there.
 account   required                       /lib/security/pam_slurm.so
 <% end %>
+
 # Standard Un*x authorization.
 @include common-account
 
-- 
GitLab