User gao recently informed us that he was running jobs on the g12
systems. This has come up before (notably, several s5s crashed due
to interactive user jobs), and we don't have a very good response.
After recommending that the user run their analysis in Condor (not
always possible, as in gao's case) or purchase dedicated hardware,
we have no good way of preventing unknowing or errant users from
logging into the compute nodes.

It is not desirable to simply remove the user accounts from the
machines, as this would break several debugging methods in Condor
and dCache. It is also not desirable to wall off those hosts using
libwrap, since it makes administration and debugging more annoying.

One solution would require the passwd management system to support
different passwd entries for the same user depending on the host. In
this way, we could set the shell to /sbin/nologin for most user
accounts on the compute nodes. We could do the same on the PNFS
server, which would allow us to map files to users more easily. As
far as I can tell, this is not possible with the current passwd
system.

When we get around to redoing passwd management, it'd be nice if
this sort of flexibility was included (or at least considered).

Thanks!

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:...wcmaier@xmpp.lfod.us | email:..will.maier@hep.wisc.edu |
| office:...........608.263.9692 | cell:..............608.438.6162 |
*--------------------[ UW High Energy Physics ]--------------------*