[Beowulf] Restricting users from ssh into nodes
Peter Clapham
pc7 at sanger.ac.uk
Wed Jul 24 02:00:00 PDT 2013
On 23/07/13 17:13, Chandler Wilkerson wrote:
> We currently use a pam access setup like that:
>
> # cat /etc/security/access.conf
> -:ALL EXCEPT admins root:ALL
>
> Then if users need access to the node while running jobs, we can do a
> prolog/epilog that adds another line to allow in the user (then remove
> once the job is done)
>
> This can become a mess if the node crashes, so I have a boot script that
> replaces the file to the -:ALL EXCEPT line, but I'd like a better way.
>
So this is pretty much the approach we have been using. As specific
changes are made we roll these out via cfengine. This way we can have
specific system classes or where necessary a system can become *special*
BUT in a way that remains recorded and tracked. Always good to be able
to roll back but as you mention, good to remember which of your many
hosts you need to roll back ;).
the touch /etc/nologin is generally only used when we take an
interactive node out for repairs. It is a very simple blunt stick.
Pete
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
More information about the Beowulf
mailing list