From 18d1678a855ea29df91ab561596f92c8d9ccf9dc Mon Sep 17 00:00:00 2001
From: Marshall Garey <marshall@schedmd.com>
Date: Tue, 15 Jan 2019 14:55:18 -0700
Subject: [PATCH] Document how to use pam_listfile.so to bypass

pam_slurm_adopt so special users can ssh to a node. This is an
alternative to pam_access.so.

Bug 6243
---
 doc/html/pam_slurm_adopt.shtml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/doc/html/pam_slurm_adopt.shtml b/doc/html/pam_slurm_adopt.shtml
index 24642ed30e0..45ef56a7b14 100644
--- a/doc/html/pam_slurm_adopt.shtml
+++ b/doc/html/pam_slurm_adopt.shtml
@@ -36,7 +36,7 @@ system-auth or sshd (you may use either the "required" or "sufficient" PAM
 control flag):</p>
 
 <pre>
-account    sufficient    pam_slurm_adopt.so
+account    required      pam_slurm_adopt.so
 </pre>
 
 <p> The order of plugins is very important. pam_slurm_adopt.so should be the
@@ -49,7 +49,7 @@ You might have the following account stack in sshd:</p>
 account    required      pam_nologin.so
 account    include       password-auth
 ...
-account    sufficient    pam_slurm_adopt.so
+account    required      pam_slurm_adopt.so
 </pre>
 
 <p>pam_slurm_adopt must be used with the task/cgroup plugin.
@@ -88,6 +88,16 @@ account    required      pam_access.so
 -:ALL:ALL
 </pre>
 
+<p>An alternative to pam_access is to place pam_listfile.so before
+pam_slurm_adopt.so. For example:</p>
+
+<pre>
+account    sufficient    pam_listfile.so item=user sense=allow onerr=fail file=/path/to/allowed_users_file
+account    required      pam_slurm_adopt.so
+</pre>
+
+<p>List the usernames of the allowed users in allowed_users_file.</p>
+
 <p>When access is denied, the user will receive a relevant error message.</p>
 
 <h2><a name="OPTIONS">pam_slurm_adopt Module Options</a></h2>
-- 
GitLab