Scroll to navigation

pam_oar_adopt(8) OAR commands pam_oar_adopt(8)

NAME

pam_oar_adopt - pam_exec script to enable connecting to jobs via ssh

SYNOPSIS

pam_oar_adopt -a for PAM auth

pam_oar_adopt -s for PAM session

DESCRIPTION

PAM can be configured to have users' `ssh` (real `ssh`, not via `oarsh`) connect nodes and place the created processes in the job's cgroup.

This uses `pam_exec.so` with the `pam_oar_adopt` script

If a user reserved a node, PAM will find out the job's cgroup and place the process in it. It will also load the job's environment variables.

If a user tries to connect to a node that he did not reserve or reserved multiple times (e.g. 2 different jobs reserving each a subset of the node's cores), nothing will be done (`ssh` may fail if configured so via `pam_access.so`).

EXAMPLES

Follows an example of configuration of PAM with pam_adopt_oar on Debian.

/etc/pam.d/common-account
 account sufficient      pam_exec.so quiet debug stdout /usr/sbin/pam_oar_adopt -a
 account sufficient      pam_access.so accessfile=/etc/security/access.conf
 account required        pam_access.so accessfile=/var/lib/oar/access.conf
 account sufficient      pam_ldap.so
 account required        pam_unix.so
/etc/pam.d/common-session
 # here are the per-package modules (the "Primary" block)
 session [default=1]                     pam_permit.so
 # here's the fallback if no module succeeds
 session requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
 session required        pam_unix.so
 session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
 session optional        pam_systemd.so
 session required   pam_exec.so stdout /usr/local/sbin/pam_oar_adopt -s
 session optional   pam_env.so readenv=1 envfile=/var/lib/oar/pam.env
/etc/pam.d/common-session-noninteractive
 # here are the per-package modules (the "Primary" block)
 session [default=1]                     pam_permit.so
 # here's the fallback if no module succeeds
 session requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
 session required        pam_unix.so
 session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
 session required   pam_exec.so seteuid stdout /usr/local/sbin/pam_oar_adopt -s
 session optional   pam_env.so readenv=1 envfile=/var/lib/oar/pam.env

SEE ALSO

oarsh(1), ssh(1), pam(5)

COPYRIGHTS

 Copyright 2003-2025 Laboratoire d'Informatique de Grenoble (http://www.liglab.fr). This software is licensed under the GNU General Public License Version 2 or above. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2025-02-27 pam_oar_adopt