Provided by: oar-node_2.6.1-1_amd64 bug

NAME
       pam_oar_adopt - OAR's pam_exec script to manage ssh connections to OAR nodes


SYNOPSIS
       pam_oar_adopt -a for PAM account

       pam_oar_adopt -s for PAM session


DESCRIPTION
       This script is part of the OAR resources and jobs manager software.

       PAM can be configured to let users ssh (basic ssh, not via oarsh) to OAR nodes and place the created
       processes in the job's cgroup. It will also prevent any ssh connection to nodes that are not properly
       reserved.

       This uses the pam_exec module with the pam_oar_adopt script and the pam_env module.

       Once enabled, if a user has reserved a node and then connects to it using ssh, PAM will find out the
       job's cgroup and place the ssh remote process in it. It will also load the job's environment variables.

       If a user tries to ssh to a node that is either not reserved, or not reserved in full (all compute
       resources of the node must be reserved) or reserved multiple times (e.g. 2 different jobs reserving each
       a subset of the node's compute resources, or using the timesharing job type), the connection will fail.

       Please note that while using ssh is very convenient, oarsh provides extra features to connect to jobs.


CONFIGURATION
       To enable this feature, one must configure pam_oar_adopt in PAM and activate it in its configuration file
       (/etc/oar/pam_oar_adopt.conf).

   PAM CONFIGURATION
       Make sure the ssh service (on port 22, not OAR's dedicated ssh service on port 6667) enables PAM.
       /etc/ssh/sshd_config must contain:

        UsePAM yes

       Follows an example of configuration of PAM with pam_oar_adopt on Debian-like systems:

       /etc/pam.d/common-account
           The following can be set as the first PAM directive in common-account:

            account required      pam_exec.so quiet stdout /usr/sbin/pam_oar_adopt -a

       /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive
           The  following  can  be  set  as  the  last  PAM  directives  in  common-session  and common-session-
           noninteractive:

            session required   pam_exec.so quiet stdout /usr/sbin/pam_oar_adopt -s
            session optional   pam_env.so readenv=1 envfile=/var/lib/oar/pam.env

       On Debian-like systems, one can also use the pam-auth-update command to configure PAM  and,  by  default,
       this PAM profile is installed with the oar-node package.

   PAM_OAR_ADOPT CONFIGURATION
       The /etc/oar/pam_oar_adopt.conf file contains the following configuration options:

       MODE weather pam_oar_adopt is enabled or not. Possible values are:
           enforced: pam_oar_adopt is enabled and will prevent any ssh connection to nodes that are not properly
           reserved.
           disabled: pam_oar_adopt is disabled.

           By default, pam_oar_adopt is disabled.

           [DEPRECATED] For compatibility reasons, if the /etc/oar/pam_oar_adopt_enabled file exists, regardless
           of /etc/oar/pam_oar_adopt.conf, then pam_oar_adopt is enabled.

       WARN
           In  disabled  mode,  pam_oar_adopt will warn users about what would have been done if it was enabled.
           Possible values are:

           yes: warn users (default).
           no: do not warn users about pam_oar_adopt doing nothing.
       USER_UID_MIN
           In enforced mode, pam_oar_adopt will ignore (not prevent) ssh connections from users with a UID lower
           than USER_UID_MIN. This is useful to allow system users to connect to nodes without being part  of  a
           job. The default value is 1000.


NOTES
       It  is  a good practice to prevent users to connect to OAR nodes outside of jobs (except system users: at
       least root and the oar user).

       Configuring pam_oar_adopt does it, but it can also be  enforced  using  pam_access  or  the  AllowedUsers
       directive in /etc/ssh/sshd_config.

       Conversely, in an installation where either of OAR's deploy or cosystem job types is used, which requires
       the oar-node package to also be installed on the deploy or cosystem frontend, it is usually normal to let
       any  user  ssh  to that frontend regardless of jobs. As a result on such a frontend, pam_oar_adopt should
       not be installed (on Debian-like systems, one may use pam-auth-update  to  deactivate  the  oar-node  PAM
       profile).


SEE ALSO
       pam(7),  pam.conf(5),  pam.d(5),  pam_exec(8),  pam_env(7),  pam_access(8),  pam-auth-update(8),  ssh(1),
       sshd_config(5), oarsh(1)


COPYRIGHTS
        Copyright 2003-2025 Laboratoire d'Informatique de Grenoble (http://www.liglab.fr). This software is licensed under the GNU General Public License Version 2 or above. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

pam_oar_adopt                                      2025-03-24                                   pam_oar_adopt(8)