Re: [HTCondor-users] condor_ssh_to_job

[Steven C Timm <timm@xxxxxxxx>]

We disable this feature at Fermilab and I would strongly suggest that any
other cluster do the same, it is an uncontrollable access hole.  If you care
about security at all don't turn it on.

Steve Timm

---

From: HTCondor-users [htcondor-users-bounces@xxxxxxxxxxx] on behalf of Keith Brown [keith6014@xxxxxxxxx]
Sent: Wednesday, August 13, 2014 7:13 AM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] condor_ssh_to_job

so, what is the point of condor_ssh_job? if a user can start hundreds of processes he can just ssh into his job and occupy slots indefinitely.  there must be a way for an administrator to control access to condor_ssh_job.

On Tue, Aug 12, 2014 at 10:32 PM, Rich Pieri <ratinox@xxxxxxx> wrote:

On 8/12/2014 8:11 PM, Keith Brown wrote:
> how can I set restrictions when a user ssh's to a job on a machine? I would
> like to set a shell with has access to very little commands and I want a
> timeout after 5 minutes.

Not really possible. Condor permits users to run pretty much any code
they want. This can be used to bypass any chroot() jails and limited
shells that you create. For example, a custom sshd that ignores a user's
default shell and home directory and uses whatever environment that
Condor provides instead.

If you don't want users running interactively on compute nodes then
don't give them any access to those nodes. Put them behind a firewall
and only allow access via the job submission system.

--
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/