[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job

On 8/12/14, 9:32 PM, Rich Pieri wrote:
On 8/12/2014 8:11 PM, Keith Brown wrote:
how can I set restrictions when a user ssh's to a job on a machine? I would
like to set a shell with has access to very little commands and I want a
timeout after 5 minutes.
Not really possible. Condor permits users to run pretty much any code
they want. This can be used to bypass any chroot() jails and limited
shells that you create. For example, a custom sshd that ignores a user's
default shell and home directory and uses whatever environment that
Condor provides instead.

If you don't want users running interactively on compute nodes then
don't give them any access to those nodes. Put them behind a firewall
and only allow access via the job submission system.

While it is true that you should consider the possibility that the job itself might circumvent the restrictions you are trying to impose on condor_ssh_to_job, the latter is amenable to some restrictions.

First of all, you can disable access to condor_ssh_to_job altogether:


You can also enable access to a restricted set of people:

ENABLE_SSH_TO_JOB = RemoteUser == "joe@xxxxxx"

Finally, when an ssh session begins, you can control what happens by modifying $(LIBEXEC)/condor_ssh_to_job_shell_setup. You should be able to impose whatever shell you wish, with whatever options and environment you want.