diff --git a/ansible/roles/pam_slurm_adopt/tasks/main.yml b/ansible/roles/pam_slurm_adopt/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..7d80de8e12d6e296960aeaf8a590bfa1e4497849 --- /dev/null +++ b/ansible/roles/pam_slurm_adopt/tasks/main.yml @@ -0,0 +1,46 @@ +--- +# restrict user access to nodes +- name: Get version and release for slurm-pam pkg + shell: rpm -q --qf "%{VERSION}-%{RELEASE}\n" slurm-client + register: ver + +- debug: + var: ver + +- name: Install slurm-pam package + yum: + name: "slurm-pam-{{ ver.stdout }}" + state: present + +- name: Create new pam file wihtout pam_systemd.so + shell: grep -v pam_systemd.so < /etc/pam.d/password-auth > /etc/pam.d/password-auth-no-systemd + +- name: Update sshd pam file + blockinfile: + path: /etc/pam.d/sshd + insertbefore: "^account.+password-auth$" + backup: yes + marker: "# {mark} PAM config for Slurm" + marker_begin: "BEGIN account" + marker_end: "END account" + block: | + "-account sufficient pam_slurm_adopt.so" + "account required pam_access.so" + +- name: Update sshd pam file + blockinfile: + path: /etc/pam.d/sshd + insertbefore: "^session.+postlogin$" + backup: yes + marker: "# {mark} - PAM config for Slurm" + marker_begin: "BEGIN session" + marker_end: "END session" + block: | + "session include password-auth-no-systemd" + +- name: Update secure access config for the node + lineinfile: + dest: /etc/security/access.conf + line: "-:ALL EXCEPT root mhanby_ cmcclung_ (sysadmins) (atlab):ALL" + owner: root + mode: 0644