[GE users] "locking down" grid machines

Bevan C. Bennett bevan at fulcrummicro.com
Thu May 13 19:27:40 BST 2004


Ron Chen wrote:
> If you use the default SGE rshd, then you can create
> /etc/nologin and pass -i for "rsh daemon" in the
> config.
> 
> If you use SGE with SSH using the integration descibed
> in the HOWTO, then I let me know! I am modifying sshd,
> and skip checking for /etc/nologin is one that I think
> would be useful.

I use SGE with SSH for qrsh and the following setup:

Create the following symlink on all compute servers:
/usr/sbin/sge-sshd -> /usr/sbin/sshd

/etc/pam.d/sshd contains:
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_access.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

/etc/pam.d/sge-sshd contains:
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

/etc/security/access.conf contains:
-:ALL EXCEPT wheel itgroup:ALL

SGE is then configured to use "/usr/sbin/sge-sshd -i" and everything 
works well: normal users can qrsh in but not ssh in, while root and the 
IT department can still ssh in.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list