Re: [slurm-users] pam_slurm_adopt not working for all users

Fri, 21 May 2021 08:36:48 -0700 

Hi Loris,
I'm not an PAM expert, but - pam_slurm_adopt doesn't do authenticatio, it only verifies that access for the authenticated user is allowed (by checking there's a job). 'account' not 'auth' in PAM config. As in, it's got nothing to do with how the user logs in to the server / is authenticated by the server. 


So yes, I'd expect this. For SSH logins to work, users need to, well, be 
able to log in via ssh. Key based, password auth, host-based SSH, 
Kerberos, ... - whatever auth mechanism your PAM config's configured to 
use (or whatever you've configured in sshd_config).



If this is simply about quickly accessing nodes that they have jobs on 
to check on them - we tell our users to 'srun' into a job allocation 
(srun --jobid=XXXXXX).


Tina

On 21/05/2021 13:53, Loris Bennett wrote:

Hi,

We have set up pam_slurm_adopt using the official Slurm documentation
and Ole's information on the subject.  It works for a user who has SSH
keys set up, albeit the passphrase is needed:

   $ salloc --partition=gpu --gres=gpu:1 --qos=hiprio --ntasks=1 
--time=00:30:00 --mem=100
   salloc: Granted job allocation 7202461
   salloc: Waiting for resource configuration
   salloc: Nodes g003 are ready for job

   $ ssh g003
   Warning: Permanently added 'g003' (ECDSA) to the list of known hosts.
   Enter passphrase for key '/home/loris/.ssh/id_rsa':
   Last login: Wed May  5 08:50:00 2021 from login.curta.zedat.fu-berlin.de

   $ ssh g004
   Warning: Permanently added 'g004' (ECDSA) to the list of known hosts.
   Enter passphrase for key '/home/loris/.ssh/id_rsa':
   Access denied: user loris (uid=182317) has no active jobs on this node.
   Access denied by pam_slurm_adopt: you have no active jobs on this node
   Authentication failed.

If SSH keys are not set up, then the user is asked for a password:

   $ squeue --me
                JOBID PARTITION     NAME     USER ST       TIME  NODES 
NODELIST(REASON)
              7201647      main test_job nokeylee  R    3:45:24      1 c005
              7201646      main test_job nokeylee  R    3:46:09      1 c005
   $ ssh c005
   Warning: Permanently added 'c005' (ECDSA) to the list of known hosts.
   nokeylee@c005's password:

My assumption was that a user should be able to log into a node on which
that person has a running job without any further ado, i.e. without the
necessity to set up anything else or to enter any credentials.

Is this assumption correct?

If so, how can I best debug what I have done wrong?

Cheers,

Loris



--
Tina Friedrich, Advanced Research Computing Snr HPC Systems Administrator

Research Computing and Support Services
IT Services, University of Oxford
http://www.arc.ox.ac.uk http://www.it.ox.ac.uk























					Reply via email to