From 7092d77e0b673464622d96398954eac06c1113c0 Mon Sep 17 00:00:00 2001
From: Samir Noir <samir.noir@inria.fr>
Date: Thu, 3 Mar 2022 11:54:01 +0100
Subject: [PATCH] [std] touch /etc/oar/pam_activated to enable OAR pam
 verification in env

---
 g5k-postinstall | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/g5k-postinstall b/g5k-postinstall
index d3fc4ab1..649ca4c3 100755
--- a/g5k-postinstall
+++ b/g5k-postinstall
@@ -880,7 +880,16 @@ end
 
 if $restrictuser == 'std' and ENV['KADEPLOY_DEPLOY_LABEL'] == "KDPL_PROD_disk0"
   $logger.info "Std environment deployed on sda2: restricting to oar, root"
+  # The following line write to /etc/security/access.conf, disallowing every users
+  # and allowing only oar and root.
+  # The file /etc/oar/pam_activated is used to enable pam_oar_adopt PAM module,
+  # in std environment only, allowing direct ssh connections to nodes (under
+  # certain conditions).
+  # pam_oar_adopt could have handled the case of oar and root, by always allowing
+  # them to connect. However, we thought that it is wiser to let pam_access do it
+  # instead of our custom script launched via pam_exec
   accessconf_auth(['oar', 'root'])
+  FileUtils.touch("#{DSTDIR}/etc/oar/pam_activated")
 elsif $restrictuser =~ /^login:/
   user = ["#{$restrictuser.split(':')[1]}"]
   $logger.info "Restricting LDAP accounts to #{user}"
-- 
GitLab