[Beowulf] Restricting users from ssh into nodes

Peter Clapham pc7 at sanger.ac.uk
Wed Jul 24 02:00:00 PDT 2013

On 23/07/13 17:13, Chandler Wilkerson wrote:
> We currently use a pam access setup like that:
> # cat /etc/security/access.conf
> -:ALL EXCEPT admins root:ALL
> Then if users need access to the node while running jobs, we can do a
> prolog/epilog that adds another line to allow in the user (then remove
> once the job is done)
> This can become a mess if the node crashes, so I have a boot script that
> replaces the file to the -:ALL EXCEPT line, but I'd like a better way.

So this is pretty much the approach we have been using. As specific 
changes are made we roll these out via cfengine. This way we can have 
specific system classes or where necessary a system can become *special* 
BUT in a way that remains recorded and tracked. Always good to be able 
to roll back but as you mention, good to remember which of your many 
hosts you need to roll back ;).

the touch /etc/nologin is generally only used when we take an 
interactive node out for repairs. It is a very simple blunt stick.


 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

More information about the Beowulf mailing list