Re: [slurm-users] Allow SFTP on a specific compute node

Tue, 12 Jul 2022 05:01:59 -0700 

Outside the context of slurm, you could add exceptions to 
/etc/security/access.conf. This depends on where pam_access.so appears in 
/etc/pam.d/sshd. I believe we’re using the config recommended in the 
pam_slurm_adopt documentation. There are a number of caveats: you need system 
root to configure it, not just slurm admin; it will allow SSH not just SFTP; 
pam_access.so appears in other PAM configurations, so be careful what else 
you’re allowing; it’s inconvenient if the set of users or set of nodes changes 
with any frequency.

We use this mechanism, and it works for us, because the users we’re allowing to 
bypass pam_slurm_adopt are HPC staff, not users.

John



From: slurm-users <slurm-users-boun...@lists.schedmd.com> on behalf of 
"Ratnasamy, Fritz" <fritz.ratnas...@chicagobooth.edu>
Reply-To: Slurm User Community List <slurm-users@lists.schedmd.com>
Date: Tuesday, July 12, 2022 at 12:53 AM
To: Slurm User Community List <slurm-users@lists.schedmd.com>
Subject: [slurm-users] Allow SFTP on a specific compute node

Hello,   Currently, our cluster does not allow ssh to compute nodes for users 
unless they have  a running job on that compute node. I believe a system admin 
has set up a PAM module that does the block. Whn trying ssh, this is the 
message returned:
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
Search “email warning banner” on ANCHOR for more information
    Report Suspicious  
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/NiUAmZJ8c1GNWg!ZvBtiKgso1VmUdibyUXmK73T6bO1jdMi8FDqHjDAoKfi7SLF_4A45uHOcbdO0Ui1Q_uUTiRamcodJcr4C7EzuCu3t5zqVPexC1pwuzDTYWFcMDG1phdA7fUp4PlzAzej14brD04$>
   ‌
ZjQcmQRYFpfptBannerEnd
Hello,

 Currently, our cluster does not allow ssh to compute nodes for users unless 
they have
a running job on that compute node. I believe a system admin has set up a PAM 
module
that does the block. Whn trying ssh, this is the message returned:
Access denied by pam_slurm_adopt: you have no active jobs on this node
Connection closed by 10.135.242.188 port 22

However, we would like to allow sftp on a specific compute node for specific 
users.
Any idea on how to do that?
Thanks,


Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556

Reply via email to