All,

For the MPI jobs, user needs to be able to launch passwordless ssh for 
the cluster.
So, if the session is initiated via PBS, then they should be able to do 
anything via password-less ssh.

Looking around online, it seems that some people use PBS environment 
variable as a differentiator between
PBS-launch ssh vs user-initated ssh.

Compute nodes will be deployed a set of login scripts that will check 
for those.

We'll test that out soon. This has been on a list for a while.

As always, thanks Steve for his suggestions.

Robin


Stephen E. Wright wrote:

> Hi guys,
>
> Here's a variety of abuse that was possible on the old Itanium 
> cluster:  once PBS started your session, you could use it to telnet to 
> other nodes on the system that weren't allocated to your job and use 
> them to run programs of your choosing (or ftp there and store files).
>
> Once we allow students on the system, their curiosity and creativity 
> can overcome their judgment.  I know of at least two such cases among 
> the very small number of students who used the Itanium cluster.  If we 
> can configure things to prevent this, it may be worth considering.
>
> Steve