3.4 Host Security

3.4.1 Enabling PAM with TORQUE

TORQUE is able to take advantage of the authentication services provided through Pluggable Authentication Modules (PAM) to help administrators manage access to compute nodes by users. The PAM module available in TORQUE is located in the PAM security directory. This module, when used in conjunction with other PAM modules, restricts access to the compute node unless the user has a job currently running on the node.

To enable TORQUE PAM configure TORQUE using the --with-pam option. Using --with-pam is sufficient but if your PAM security modules are not in the default /lib/security or /lib64/security directory, you can specify the location using --with-pam=DIR where DIR is the directory where you want the modules to be installed. When TORQUE is installed the files pam_pbssimpleauth.la and pam_pbssimpleauth.so appear in /lib/security, /lib64/security, or the directory designated on the configuration line.

PAM is very flexible and policies vary greatly from one site to another. The following example restricts users trying to access a node using SSH. Administrators need to assess their own installations and decide how to apply the TORQUE PAM restrictions.

After installing TORQUE with PAM enabled, add the following two lines to /etc/pam.c/sshd.

account required	pam_pbssimpleauth.so
account required	pam_access.so

In /etc/security/access.conf make sure all users who access the compute node are added to the configuration.This is an example which allows the users root, george, allen, and michael access.

-:ALL EXCEPT root george allen michael torque:ALL

With this configuration, if user george has a job currently running on the compute node, george can use ssh to login to the node. If there are currently no jobs running, george is disconnected when attempting to login.

TORQUE PAM is good at keeping users out who do not have jobs running on a compute node. However, it does not have the ability to force a user to log out once they are in. To accomplish this use epilogue or prologue scripts to force users off the system.

3.4.2 Legacy TORQUE PAM configuration

There is an alternative PAM configuration for TORQUE that has been available since 2006. It can be found in the contrib/pam_authuser directory of the source tree. Adaptive Computing does not currently support this method but the instructions are given here for those who are currently using it and for those who wish to use it.

For systems requiring dedicated access to compute nodes (for example, users with sensitive data), TORQUE prologue and epilogue scripts provide a vehicle to leverage the authenication provided by linux-PAM modules. (See Appendix G Prologue and Epilogue Scripts for more information.)

To allow only users with running jobs (and root) to access compute nodes, do the following:

• Untar contrib/pam_authuser.tar.gz (found in the src tar ball).
• Compile pam_authuser.c with make and make install on every compute node.
• Edit /etc/system-auth as described in README.pam_authuser, again on every compute node.
• Either make a tarball of the epilogue* and prologue* scripts (to preserve the symbolic link) and untar it in the mom_priv directory, or just copy epilogue* and prologue* to mom_priv/.

The prologue* scripts are Perl scripts that add the user of the job to /etc/authuser. The epilogue* scripts then remove the first occurrence of the user from /etc/authuser. File locking is employed in all scripts to eliminate the chance of race conditions. There is also some commented code in the epilogue* scripts, which, if uncommented, kills all processes owned by the user (using pkill), provided that the user doesn't have another valid job on the same node.