Re: [HTCondor-users] condor_ssh_to_job

[Dan Bradley <dan@xxxxxxxxxxxx>]

On 8/12/14, 9:32 PM, Rich Pieri wrote:
> On 8/12/2014 8:11 PM, Keith Brown wrote:
> > how can I set restrictions when a user ssh's to a job on a machine? I would
> > like to set a shell with has access to very little commands and I want a
> > timeout after 5 minutes.
> Not really possible. Condor permits users to run pretty much any code
> they want. This can be used to bypass any chroot() jails and limited
> shells that you create. For example, a custom sshd that ignores a user's
> default shell and home directory and uses whatever environment that
> Condor provides instead.
>
> If you don't want users running interactively on compute nodes then
> don't give them any access to those nodes. Put them behind a firewall
> and only allow access via the job submission system.

While it is true that you should consider the possibility that the job 
itself might circumvent the restrictions you are trying to impose on 
condor_ssh_to_job, the latter is amenable to some restrictions.

First of all, you can disable access to condor_ssh_to_job altogether:

ENABLE_SSH_TO_JOB = False

You can also enable access to a restricted set of people:

ENABLE_SSH_TO_JOB = RemoteUser == "joe@xxxxxx"

Finally, when an ssh session begins, you can control what happens by 
modifying $(LIBEXEC)/condor_ssh_to_job_shell_setup.  You should be able 
to impose whatever shell you wish, with whatever options and environment 
you want.

--Dan