[Beowulf] SSH without login in nodes

Angel de Vicente angelv at iac.es
Tue May 8 06:25:36 PDT 2007


If it is of any help, we use a similar setting to the one given below by Kilian,
where our access file in the compute nodes only has root and myself. When a user
submits something to the queuing system (Torque+Maui), the access.conf of the
given nodes is modified with a prologue script, so that access is given to them
in the allocated nodes, and when the job finishes their name is taken from
access.conf in an epilogue script. 

Nothing fancy, but it works pretty well (you could easily figure how to abuse
it, but people usually behave nicely, and this was needed mostly to prevent
accidentally submitting jobs to other nodes, not to tackle abuse). At the same
time, we have a script that runs once per day to check whether there are any
jobs from users not allowed (according to the queueing system) to do so, and if
found they are just mercilessly killed (on very rare occasions zombies are
hanging around).

To the original poster, if you want details about this setting, I can provide
them, with a special bonus: in Spanish :-)

Ángel de Vicente

Kilian CAVALOTTI <kilian at stanford.edu> writes:

> Hi,
> On Friday 04 May 2007 01:06:51 pm Peter St. John wrote:
>> There was a typogrphical error in the question. I had a brief exchange
>> with se=F1or Gomez and he confirmed this translation:
>> I am configuring a cluster with ssh (but without passwords) and
>> currently the users can log in to compute nodes.
>> I wish the clients to use the queue system (Torque, it works fine)
>> without being able to access the compute nodes.
>> In the past, we used rsh without allowing rlogin.
> What you can do is configure PAM on the nodes, to only allow login for a=20
> specific set of users, if any. It should come with any modern distro.
> Be sure your /etc/pam.d/authconfig contains reference to pam_access, like=
> :
> account     required      /lib/security/$ISA/pam_access.so
> And configure /etc/security/access.conf to match your needs, like:
> # Allow administrative login from everywhere
> +:wheel staff:ALL
> # Prevent user logins=20
> -:users:ALL
> You can give a look at=20
> http://www.informit.com/articles/article.asp?p=3D165226&seqNum=3D12&rl=3D=
> 1 for=20
> more info.
> Cheers,
> --=20
> Kilian
Instituto de Astrofísica de Canarias

More information about the Beowulf mailing list