[GE users] Limiting access to compute nodes

cjf001 john.foley at motorola.com
Wed May 20 14:41:26 BST 2009


Well, the way we do it is this (note: this depends on NIS being used....):

1) make the end of your /etc/passwd files look like this:
     + at root_users
     + at allowed_logins_<hostname>
     +:*:::::

  2) make your /etc/nsswitch.conf files look like this:
     (only the passwd line is shown; there are of course many other
      lines in there....)
     passwd:        compat

  3) create a netgroup named allowed_logins_<hostname> and put
     in it as many or as few users as you want to be able to login
     in to that node.

Note that we have a netgroup called root_users, in addition to
the allowed_logins_<hostname> netgroup for each machine, but you
don't really need that - the root_users netgroup could be
included in all the individual allowed_logins_<hostname> netgroups.

The nice thing about this is that it's controlled from a central
location (the NIS master), so it's quick and easy to add or remove
access if desired. We put this setup into place in our node build
process, so it's there whenever we rebuild a machine. There are
many variations that you could create off of this idea. And,
no messing with PAM :)

The key, of course, is the last line. When someone tries to log
into the machine, if the login process gets to the last line in
passwd file without finding the user's id (because it's not in the
allowed_users_<hostname> or root_users netgroups), then the "*"
blocks the password from being seen, and the user can't login.
The user's uid is still available on the machine, though, and
rsh is not blocked (if you're using MPI) because it doesn't use
the passwd file when running remote commands (not sure about ssh,
because we don't use it for MPI here...)

       good luck !

       John



beatrubi wrote:

> Hello!
> 
> I'm looking for a clean way to limit access of unprivileged users to compute
> nodes where jobs of them are running. Probably the best way is some kind of
> PAM module like pam_slurm [1], the only thing I found is a bad hack [2] in
> the Rocks mailinglist.
> 
>     [1] https://computing.llnl.gov/linux/slurm/download.html
>     [2] 
> https://lists.sdsc.edu/pipermail/npaci-rocks-discussion/2005-July/012800.htm
> l
> 
> Does somebody knows a clean way or do I search in a wrong direction?
> 
> Beat
> 



-- 
###########################################################################
# John Foley                          # Location:  IL93-E1-21S            #
# IT & Systems Administration         # Maildrop:  IL93-E1-35O            #
# Antenna & Mechanical Simulation Grp #    Email: john.foley at motorola.com #
# Motorola, Inc. -  Mobile Devices    #    Phone: (847) 523-8719          #
# 600 North US Highway 45             #      Fax: (847) 523-5767          #
# Libertyville, IL. 60048  (USA)      #     Cell: (847) 460-8719          #
###########################################################################
                 (this email sent using Mozilla on Windows)

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=197730

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list