[mvapich-discuss] RE: Disable interactive login to compute node
Bill Barth
bbarth at tacc.utexas.edu
Mon Jul 13 08:34:31 EDT 2009
Satoshi,
We solve this problem by having a PAM module that checks and SGE spool directory for whether the user has a job on the node. If it does, it allows access, otherwise it does not. We could also have used the SGE prolog script to modify /etc/security/access.conf to allow access and epilog to modify it to remove access.
Regards,
Bill.
--
Bill Barth, Ph.D., Director, HPC
bbarth at tacc.utexas.edu | Phone: (512) 232-7069
Office: ROC 1.435 | Fax: (512) 475-9445
> -----Original Message-----
> From: Satoshi Isono [mailto:isono at cray.com]
> Sent: Monday, July 13, 2009 12:07 AM
> To: Bill Barth
> Cc: mvapich-discuss at cse.ohio-state.edu
> Subject: Disable interactive login to compute node
>
> Hello Bill, everyone,
>
> Sorry, this issue may not be a MVAPICH article. Please let me have your
> opinion on this.
>
> The background is I use MVAPICH based on SSH authorization. And the
> number of users is more one thousand. In order to run MPI, I have done
> SSH setting. As a result of my configuration, SSH login between compute
> nodes does not need password. As we know, this is general setting for
> MPI run environment.
>
> On the other hand, anyone who has an account on compute node has done
> login for arbitrary nodes. This action is not cared from system
> security
> side. I think we should consider that all users aren't able to login
> during other users job running.
>
> My concern is how everyone control such as operations. I know this may
> depend on the system policy. On big system site like a TACC, how is
> this
> restricted?
>
> For example, before/after running MPI, to set available user, we are
> able to edit password file, automatically?
>
> Best regards,
> Satoshi Isono
More information about the mvapich-discuss
mailing list