(Click to open topic with navigation)

Z.127 Host Security

Z.127.1 Enabling PAM with Torque

Torque is able to take advantage of the authentication services provided through Pluggable Authentication Modules (PAM) to help administrators manage access to compute nodes by users. The PAM module available in Torque is located in the PAM security directory. This module, when used in conjunction with other PAM modules, restricts access to the compute node unless the user has a job currently running on the node. The following configurations are examples only. For more information about PAM, see the PAM (Pluggable Authentication Modules) documentation from LinuxDocs.

To enable Torque PAM on the compute nodes, include the --with-pam[=<DIR>] option when running configure before installing, and then make the required security configuration file changes described in this section.

The installation process (below) will place pam_pbssimpleauth.la and pam_pbssimpleauth.so in either /lib/security or /lib64/security (depending on your build architecture), or in the directory optionally designated with the configure option.

When installing with packages, be sure to also run torque-package-pam-linux.sh or torque-package-pam-linux-x86_64.sh on each pbs_mom host.

When installing from source with "make install mom", be sure to also run "make install_pam" on each pbs_mom host. (Running "make install" will install everything.)

PAM is very flexible and policies vary greatly from one site to another. The following example restricts users trying to access a node using SSH. Administrators need to assess their own installations and decide how to apply the Torque PAM restrictions.

This example is not intended to be used as a general purpose solution, and must be modified for your configuration.

In this example, after installing Torque with PAM enabled, you would add the following two lines to /etc/pam.d/sshd (on the compute nodes):

account required pam_pbssimpleauth.so

account required pam_access.so

Also, in /etc/security/access.conf on the compute nodes, make sure to add all users who access the node to the configuration. This example permits node access to users root, george, allen, and michael.

-:ALL EXCEPT root george allen michael torque:ALL

With this configuration, if user george has a job currently running on the compute node, george can use ssh to open sessions to the node. If george currently has no running jobs on a node, ssh will refuse login attempts to that node as that user, and will close the connection.

The Torque PAM module will keep users out unless they have jobs running on a compute node. However, it does not have the ability to force a user to log out once they are in. To accomplish this, use epilogue or prologue scripts to force users off the system.

Z.127.2 Legacy Torque PAM Configuration

There is an alternative PAM configuration for Torque that has been available since 2006. It can be found in the contrib/pam_authuser directory of the source tree. Adaptive Computing does not currently support this method but the instructions are given here for those who are currently using it and for those who wish to use it.

For systems requiring dedicated access to compute nodes (for example, users with sensitive data), Torque prologue and epilogue scripts provide a vehicle to leverage the authentication provided by linux-PAM modules. (See Prologue and Epilogue Scripts for more information.)

To allow only users with running jobs (and root) to access compute nodes

  1. Untar contrib/pam_authuser.tar.gz (found in the src tar ball).
  2. Compile pam_authuser.c with make and make install on every compute node.
  3. Edit /etc/system-auth as described in README.pam_authuser, again on every compute node.
  4. Either make a tarball of the epilogue* and prologue* scripts (to preserve the symbolic link) and untar it in the mom_priv directory, or just copy epilogue* and prologue* to mom_priv/.

The prologue* scripts are Perl scripts that add the user of the job to /etc/authuser. The epilogue* scripts then remove the first occurrence of the user from /etc/authuser. File locking is employed in all scripts to eliminate the chance of race conditions. There is also some commented code in the epilogue* scripts, which, if uncommented, kills all processes owned by the user (using pkill), provided that the user doesn't have another valid job on the same node.

prologue and epilogue scripts were added to the pam_authuser tarball in version 2.1 of Torque.

Related Topics 

  • Managing Nodes

    • © 2017 Adaptive Computing