Re: [HTCondor-users] condor_ssh_to_job

[Brian Bockelman <bbockelm@xxxxxxxxxxx>]

On Aug 12, 2014, at 9:32 PM, Rich Pieri <ratinox@xxxxxxx> wrote:

> On 8/12/2014 8:11 PM, Keith Brown wrote:
>> how can I set restrictions when a user ssh's to a job on a machine? I would
>> like to set a shell with has access to very little commands and I want a
>> timeout after 5 minutes.
> 
> Not really possible. Condor permits users to run pretty much any code
> they want. This can be used to bypass any chroot() jails and limited
> shells that you create. For example, a custom sshd that ignores a user's
> default shell and home directory and uses whatever environment that
> Condor provides instead.

Point of note - I don't think one can escape the chroot jail that HTCondor provides.

> 
> If you don't want users running interactively on compute nodes then
> don't give them any access to those nodes. Put them behind a firewall
> and only allow access via the job submission system.

That may not be sufficient - condor_ssh_to_job can reverse the connection to connect through firewalls.  You'll want an inbound + outbound firewall, which could adversely affect legit jobs.

If you don't want users logging in using the system default sshd binaries, you'll want to either lock the account or setup the sshd_config to whitelist only certain user accounts.  As you mention above, this doesn't prevent users from shipping their own sshd (or maybe embedding one in their executable).

I'd mention that if you trust the user this little, you might want to think about whether you're willing to give them access to the job submit system in the first place.

Brian