[Beowulf] Restricting users from ssh into nodes

Chandler Wilkerson chwilk at rice.edu
Tue Jul 23 09:13:01 PDT 2013 

We currently use a pam access setup like that:

# cat /etc/security/access.conf
-:ALL EXCEPT admins root:ALL

Then if users need access to the node while running jobs, we can do a 
prolog/epilog that adds another line to allow in the user (then remove 
once the job is done)

This can become a mess if the node crashes, so I have a boot script that 
replaces the file to the -:ALL EXCEPT line, but I'd like a better way.


On 07/23/2013 07:58 AM, Peter Clapham wrote:
> I'm not sure how useful this may be, but these may also be suitable in
> certain environments
>
> simplest:
> touch /etc/nologin
>
> and, similarly granular to the option below you could edit:
> (Ubuntu / Debian file location)
> /etc/security/access.conf
>
> Pete
>
>> I am a novice when it comes to how clusters work. but i did find this
>> feature useful.
>>
>>
>>   Specify Which Accounts Can Use SSH
>>
>> You can explicitly allow or deny access for certain users or groups.
>> For example, if you have a family PC where most people have weak
>> passwords, you might want to allow SSH access just for yourself.
>>
>> Allowing or denying SSH access for specific users can significantly
>> improve your security if users with poor security practices don't need
>> SSH access.
>>
>> /It's recommended to specify which accounts can use SSH if only a few
>> users want (not) to use SSH./
>>
>> To allow only the users Fred and Wilma to connect to your computer,
>> add the following line to the bottom of the sshd_config file:
>>
>> *AllowUsers Fred Wilma*
>>
>> To allow everyone except the users Dino and Pebbles to connect to your
>> computer, add the following line to the bottom of the sshd_config file:
>>
>> *DenyUsers Dino Pebbles*
>>
>> It's possible to create very complex rules about who can use SSH - you
>> can allow or deny specific groups of users, or users whose names match
>> a specific pattern, or who are logging in from a specific location.
>> For more details about how to create complex rules, see the
>> sshd_config man page
>> <http://manpages.ubuntu.com/manpages/hardy/man5/sshd_config.5.html>
>>
>>
>> this is from the ubuntu documentation but it might prove useful and
>> can be found here
>> <https://help.ubuntu.com/community/SSH/OpenSSH/Configuring> .
>>
>>
>>
>> On Tue, Jul 23, 2013 at 1:16 PM, Hearns, John <john.hearns at mclaren.com
>> <mailto:john.hearns at mclaren.com>> wrote:
>>
>>
>>
>>     John can't you do that with a feature in ssh called Deny users and
>>     specify the user name or that wouldnt work in a cluster environment.
>>
>>
>>
>>     I must admit that I am not running this in the context of an MPI
>>     style cluster.
>>     I am configuring nodes for interactive logins using the batch
>>     system to allocate the login sessions (interactive jobs)
>>
>>
>>
>>
>>     The contents of this e-mail are confidential and for the exclusive
>>     use of the intended recipient. If you are not the intended
>>     recipient you should not read, copy, retransmit or disclose its
>>     contents. If you have received this email in error please delete
>>     it from your system immediately and notify us either by email or
>>     telephone. The views expressed in this communication may not
>>     necessarily be the views held by McLaren Racing Limited.
>>     McLaren Racing Limited | McLaren Technology Centre | Chertsey Road
>>     | Woking | Surrey | GU21 4YH | UK | Company Number: 01517478
>>
>>     _______________________________________________
>>     Beowulf mailing list, Beowulf at beowulf.org
>>     <mailto:Beowulf at beowulf.org> sponsored by Penguin Computing
>>     To change your subscription (digest mode or unsubscribe) visit
>>     http://www.beowulf.org/mailman/listinfo/beowulf
>>
>>
>>
>>
>> --
>> Jonathan Aquilina
>>
>>
>> _______________________________________________
>> Beowulf mailing list,Beowulf at beowulf.org  sponsored by Penguin Computing
>> To change your subscription (digest mode or unsubscribe) visithttp://www.beowulf.org/mailman/listinfo/beowulf
>
>
> --
> ---
> Dr Peter Clapham, Informatics Systems Group
> The Wellcome Trust Sanger Institute, Cambs, CB10 1SA
> Tel: +44 (0)1223 834244 x 6972
>
>
> -- The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose registered
> office is 215 Euston Road, London, NW1 2BE.
>
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
>

More information about the Beowulf mailing list