pam_sge_authorize (8) - Linux Man Pages

pam_sge_authorize: PAM module to control access to SGE hosts

NAME

pam_sge_authorize - PAM module to control access to SGE hosts

SYNOPSIS

pam_sge_authorize [options]

DESCRIPTION

This PAM module limits access via etc. to xxQS_NAMExx hosts only to users who currently have a job running on the host. The expectation is that this limits their impact on any other users of the host.

OPTIONS

execd_spool_dir=dir

Specify the spool directory in which to find the active_jobs directory as dir/hostname/active_jobs. Default: /opt/sge/default/spool.

bypass_users=user_list

The module ignores access by users with unames in the comma-separated user_list. There is a limit of 30 users. root is always allowed access.

max_sleep=max_sleep

A non-zero max_sleep allows desynchronization of accesses to the spool directory. The module sleeps for a random period t, where 0<=t<=max_sleep microseconds before accessing the spool directory. This probably isn't useful. Default: 0.

debug

Send debugging information to syslog.

active

Require an active job, i.e. a running shepherd on the host. This can be used to enforce tight integration for distributed jobs, i.e. direct access to other nodes of the job is prevented via SSH, rather than qrsh -inherit.

EXAMPLE

On a typical GNU/Linux system, add something like the following to /etc/pam.d/sshd, e.g. at the top.
account required /opt/sge/lib/lx-amd64/pam_sge_authorize.so \
  bypass_users=foo,bar,baz,qux spool_dir=/opt/sge/execd_spool
On some systems it might be necessary to copy pam_sge_authorize.so into, say, /lib/security, and instead use it as

auth required pam_sge_authorize.so

AUTHOR

TACC. Man page by Dave Love, based on material from Bill Barth, TACC.

SEE ALSO