topic Re: CMU_PAM_AUTH in Server Clustering

CMU_PAM_AUTH

rohitmehta — Tue, 18 Oct 2011 18:33:11 GMT

Is it possible to re-enable CMU_PAM_AUTH? The notes in cmuserver.conf (default install) say that it only works in RHEL4 32 bit.

Our admins log onto our cluster's via SSH using libpam-krb5 and authenticate off of our Active Directory which has strong password features. Rather than enabling shadow passwords for these accounts, we'd like all authentication to be done on accounts which inherit our central password policy. PAM integration is fairly easy and standard. I'm not entirely sure why this fairly standard and necessary feature seems to have been dropped since RHEL 4.

Thanks for any assistance,

Rohit

Re: CMU_PAM_AUTH

Dennis Gurgul — Wed, 16 Nov 2011 17:37:46 GMT

There used to be a similar PAM_AUTH module to prevent users from ssh'ing to a compute node unless they had first acquired it via a bsub session. When we dropped SLURM from LSF that went away also. Would be great to have that functionality back.

Re: CMU_PAM_AUTH

Chris Holmes (CMU) — Mon, 20 Feb 2012 19:06:13 GMT

Hi Dennis,

Sorry for the late response.

The PAM authentication that you are referring to comes with SLURM, and is called "pam_slurm". It's a Pluggable Authentication Module (PAM) that you configure in the /etc/pam.d/system-auth file on RHEL that checks if the local node has been allocated to the user in SLURM before allowing ssh access.

The XC Support team developed a similar module for standard LSF, and our internal benchmark team still uses it for controlling access to compute nodes. Let me see if I can dig that up and make it available here.

Regards,

--Chris

Re: CMU_PAM_AUTH

Chris Holmes (CMU) — Mon, 20 Feb 2012 19:22:00 GMT

Hello,

Sorry for the delay in responding to this post.

CMU_PAM_AUTH in the cmuserver.conf file is referring to a technique where the GUI can log into Admin Mode automatically using standard PAM mechanisms, without the user providing a root password. This has nothing to do with controlling user access to the cluster nodes. Customers can configure any authentication method that they would like for controlling user access to the compute nodes. The only requirement from CMU is that the root account can ssh between the nodes in the cluster without a password, and CMU accomplishes this by default by configuring consistent ssh keys on all nodes.

CMU_PAM_AUTH was deprecated because it required a complete redesign to adapt to any OS distribution (the original implementation was designed to work on RHEL 4 only) and continual maintainence to ensure that it worked on the latest OS distributions. The CMU team felt that this was a lot of work for a trivial feature, and that the work could be better spent on more useful features.

Regards,

--Chris