Re: [HTCondor-users] condor_ssh_to_job

[Brian Bockelman <bbockelm@xxxxxxxxxxx>]

Hi Keith,

There's nothing "bulletproof" available - recall that you're allowing users to execute arbitrary code (they can just bring their own SSH binaries with them!).  So, you always must maintain some sort of trust relationship with them.  The available solutions will mostly just limit well-intentioned users, not malicious ones.  There are other mechanisms for protecting against malicious users.

If you just want to limit the interactive jobs, you can always set a default periodic hold _expression_.

I don't have any concrete advice (I've never tried this), other than starting with Wikipedia and going on from there:

http://en.wikipedia.org/wiki/Restricted_shell

To prevent users (either through login or via their jobs) from abusing the system resources, you may want to look at HTCondor's chroot, namespace, and cgroup capabilities.

Hope this helps!

Brian

On Aug 12, 2014, at 7:11 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:

how can I set restrictions when a user ssh's to a job on a machine? I would like to set a shell with has access to very little commands and I want a timeout after 5 minutes. 

is anyone doing anything with this command? it convenient but users can take advantage of the slots by running interactive jobs.

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/