From 9a927fbc19945f4e180801456867043fae17b7a3 Mon Sep 17 00:00:00 2001 From: Eesaan Atluri <atlurie@uab.edu> Date: Fri, 7 Oct 2022 11:40:53 -0500 Subject: [PATCH] Add role to restrict user access to nodes via pam_slurm. --- ansible/roles/pam_slurm_adopt/tasks/main.yml | 46 ++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 ansible/roles/pam_slurm_adopt/tasks/main.yml diff --git a/ansible/roles/pam_slurm_adopt/tasks/main.yml b/ansible/roles/pam_slurm_adopt/tasks/main.yml new file mode 100644 index 0000000..7d80de8 --- /dev/null +++ b/ansible/roles/pam_slurm_adopt/tasks/main.yml @@ -0,0 +1,46 @@ +--- +# restrict user access to nodes +- name: Get version and release for slurm-pam pkg + shell: rpm -q --qf "%{VERSION}-%{RELEASE}\n" slurm-client + register: ver + +- debug: + var: ver + +- name: Install slurm-pam package + yum: + name: "slurm-pam-{{ ver.stdout }}" + state: present + +- name: Create new pam file wihtout pam_systemd.so + shell: grep -v pam_systemd.so < /etc/pam.d/password-auth > /etc/pam.d/password-auth-no-systemd + +- name: Update sshd pam file + blockinfile: + path: /etc/pam.d/sshd + insertbefore: "^account.+password-auth$" + backup: yes + marker: "# {mark} PAM config for Slurm" + marker_begin: "BEGIN account" + marker_end: "END account" + block: | + "-account sufficient pam_slurm_adopt.so" + "account required pam_access.so" + +- name: Update sshd pam file + blockinfile: + path: /etc/pam.d/sshd + insertbefore: "^session.+postlogin$" + backup: yes + marker: "# {mark} - PAM config for Slurm" + marker_begin: "BEGIN session" + marker_end: "END session" + block: | + "session include password-auth-no-systemd" + +- name: Update secure access config for the node + lineinfile: + dest: /etc/security/access.conf + line: "-:ALL EXCEPT root mhanby_ cmcclung_ (sysadmins) (atlab):ALL" + owner: root + mode: 0644 -- GitLab