[GE users] [slightly OT] disallow node login

reuti reuti at staff.uni-marburg.de
Tue May 25 11:05:11 BST 2010


Am 23.05.2010 um 15:59 schrieb seandavi:

> Simple question, probably.  I want to disallow node logins (both mac and linux nodes).  However, we use ssh for job submission.  How can I limit user access to nodes?  We have always allowed users free access to the nodes, but after several episodes of users running long jobs on nodes without submitting via a queue, we have decided to change policy.  

my usual approach is to completely forbid logging into the nodes with a plain ssh/rsh. Instead all users are forced to use a special interactive queue with h_cpu=60 by qrsh. This special queue is intended to oversubscribe the nodes, and slots are limited to the CPU count by an RQS for the active queues instead.

Two cases:

a) ssh not required:

- limit ssh login to admin staff

- install rshd/telnetd on the nodes (but don't enable the daemons in /etc/xinet.d/rsh resp. telnet). SGE will start its own daemon instances.

b) ssh is required

- limit ssh login to admin staff

- install a special /etc/ssh/sshd_config_sge with is used by SGE's sshd call by: -f /etc/ssh/sshd_config_sge which allows user login

- setup hostbased authentication to avoid any passphraseless keys: http://gridengine.sunsource.net/howto/hostbased-ssh.html

Users can login to the nodes to look for files, but due to the CPU limit of 60 seconds they can't abuse it.

-- Reuti


To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].

More information about the gridengine-users mailing list