Merge branch 'unify_pam_ssh' into 'master'

Unify pam ssh See merge request hpc-team/ansible_cluster_in_a_box!271 Former-commit-id: 439c73d6

Merge branch 'unify_pam_ssh' into 'master'
Unify pam ssh See merge request hpc-team/ansible_cluster_in_a_box!271 Former-commit-id: 439c73d6
80f0f715 · Trung Nguyen · 58bbc747 · cabba9a5 · 58bbc747 · 80f0f715
Commit 80f0f715 authored 5 years ago by Trung Nguyen
--- a/roles/pam_slurm/tasks/main.yml
+++ b/roles/pam_slurm/tasks/main.yml
---
- name: "Copy access.conf"
-  template: src=access.conf.j2 dest=/etc/security/access.conf
-  become: true
-  become_user: root
-
- name: "Copy password sshd pam config"
-  template: src=sshd.j2 dest=/etc/pam.d/sshd
-  become: true
-  become_user: root
-
--- a/roles/pam_sshd/README.md
+++ b/roles/pam_sshd/README.md
+Install an sshd PAM config definition
+
+we leverage pam_access to ensure that the ec2-user and members of the systems group and always login
+
+we use nologin on the login nodes during maintaince to retrict user login
+
+we use pam_slurm_adopt on the compute nodes so that only users with running jobs can login a given node.
+
+default is to configure as a login node. Use the variable computenodepam to config as a compute node (i.e. enable pam_slurm_adopt)
--- a/roles/pam_sshd/tasks/main.yml
+++ b/roles/pam_sshd/tasks/main.yml
+---
+- name: "Copy access.conf"
+  template: src=access.conf.j2 dest=/etc/security/access.conf
+  become: true
+  become_user: root
+
 - name: "Copy password sshd pam config"
-  template: src=sshd.j2 dest=/etc/pam.d/sshd
+  template: src=loginnodes_sshd.j2 dest=/etc/pam.d/sshd
  become: true
  become_user: root
+  when: computenodepam is undefined or not computenodepam 
+

+- name: "Copy password sshd pam config"
+  template: src=computenodes_sshd.j2 dest=/etc/pam.d/sshd
+  become: true
+  become_user: root
+  when: computenodepam is defined and computenodepam 
--- a/roles/pam_slurm/templates/access.conf.j2
+++ b/roles/pam_slurm/templates/access.conf.j2
--- a/roles/pam_slurm/templates/sshd.j2
+++ b/roles/pam_slurm/templates/sshd.j2
--- a/roles/pam_sshd/templates/sshd.j2
+++ b/roles/pam_sshd/templates/sshd.j2
@@ -4,7 +4,7 @@ auth       substack     password-auth
 auth       include      postlogin
 # Used with polkit to reauthorize users in remote sessions
 -auth      optional     pam_reauthorize.so prepare
-account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup systems
+account    sufficient   pam_access.so
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth