Sorry for the late update. Anyway, per suggestions, here is what I did: * prevent ssh-login to the nodes except admins * reconfigure torque with --with-pam (then reinstall torque, openmpi etc...)
After testing for a few days with some intensive jobs, everything looks fine :) Thanks for all the helps/suggestsions/comments, D. On 2/6/13 10:58 PM, Reuti wrote: > Am 06.02.2013 um 16:45 schrieb Duke Nguyen: > > > On 2/6/13 10:06 PM, Jeff Squyres (jsquyres) wrote: > >> On Feb 6, 2013, at 5:11 AM, Reuti <re...@staff.uni-marburg.de> wrote: > >> > >>>> Thanks Reuti and Jeff, you are right, users should not be allowed > to ssh to all nodes, which is how our cluster was set up: users can > even password-less ssh to any node. I know this is not appropriate > question in OpenMPI forum, but how can we setup so that user can only > ssh (with password) to nodes that are allocated to them at the time of > qsub'ing? I am still new to all of this cluster thing :) > >>> I even disallow this. Only admin staff is allowed to login to the > nodes. This forces also the admin to look for a tight integration of > the user's software into the queuing system. > >> > >> +1 > >> > >> FWIW, that makes one-more-thing that you have to setup and maintain > (because it doesn't happen by default -- you'd have to add some extra > scripting in the ssh authentication stuff to enable that functionality). > >> > > > Thanks, that what I want to do too, but I thought if it is impossible > > because ssh is needed for seting up a cluster. From what I understand: > > > * for an user to run pbs jobs, master and clients should have that user > > on their passwd/shadow/group files > > Or use NIS / LDAP to have a central location for this information. > > > > * configure ssh server on clients to prohibit certain users > > Correct, like a line in /etc/ssh/sshd_config: > > AllowGroups admin > > and only admin staff has this group as one of their secondary groups > attached. > > -- Reuti > > > > Is that right? > > > _______________________________________________ > > users mailing list > > us...@open-mpi.org > > http://www.open-mpi.org/mailman/listinfo.cgi/users > > > _______________________________________________ > users mailing list > us...@open-mpi.org > http://www.open-mpi.org/mailman/listinfo.cgi/users >
signature.asc
Description: OpenPGP digital signature
