ssh::pam: Support specifying a list of people who can bypass pam_slurm

eca47404 · Karl Kornel · b869d6b0 · eca47404 · eca47404
Commit eca47404 authored 8 years ago by Karl Kornel
--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -7,11 +7,15 @@
 #
 # If you are using the SLURM job scheduler, setting $pam_slurm to true will
 # cause user logins to be rejected unless they have a valid job allocation.
+# In that case, you can set $pam_slurm_bypass to an absolute path, where all
+# users listed in the file (one username per line) will not be checked.  This
+# is good so that admin users can continue to log in.
 class ssh::pam (
-  $pam_afs   = true,
+  $pam_afs          = true,
-  $pam_duo   = false,
+  $pam_duo          = false,
-  $pam_slurm = false
+  $pam_slurm        = false,
+  $pam_slurm_bypass = 'NONE',
 ){
  # Configure PAM for sshd on RHEL 6.

--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -31,14 +31,17 @@ account    required     pam_nologin.so
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
 <% if @pam_slurm %>
+<% if @pam_slurm_bypass != 'NONE' %>
-# Allow access to SLURM compute nodes only if a user has an active job running
+# Bypass the pam_slurm check for certain people.
-# there, but allow access to administrators using either their normal or .root
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=<%= @pam_slurm_bypass %> onerr=fail
-# identities.
+<% end %>
-account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+# Allow access to SLURM compute nodes only if a user has an active job running
+# there.
 account   required                       /lib/security/pam_slurm.so
 <% end %>
 # Standard Un*x authorization.
 @include common-account