You might consider having some virtual ftp user accounts, if all they want to do is move data around - much more secure than shell access, and tunnel these through the ssh port. cheers, R. On 07/01/2008, Pann McCuaig <[log in to unmask]> wrote: > Greetings! > > We have a cluster (in the loosest, most generic application of that > term) of machines running SL4.5, x86_64. I'll try to provide adequate > but brief context before asking my actual question. > > There is one login node and a small finite number of compute nodes. > > The login node has two NICs, one facing the world with a public IP (and > only port 22 open), and the second facing our private network. > > The compute nodes are only connected to the private net. > > Accounts are managed with NIS and /home and /usr/local are NFS-mounted. > /opt is not. > > Users log into the login node and then ssh to a compute node to do work > (over-simplification, but adequate for this discussion, I believe). > > Applications are either installed under /usr/local (available > everywhere) or under /opt (available only on certain compute nodes). > > *Here's the actual question.* > > We would like to create accounts for restricted users, primarily for > data sharing purposes. These users would have access to the filesystem > as appropriate, but would not be allowed to run the applications living > under /opt and /usr/local. > > A solution we have knocked around is to create a separate "non-compute" > node for these users, and that node would not NFS-mount /usr/local. The > users' login shell on the login node would be changed to a script that > would log them into the "restricted users node," and when they log out > from that node, they would be logged out of the login node as well. > > Suggestions? Better ideas? Pointers to RTFM? Thanks. > > Cheers, > Pann > -- > Pann McCuaig <[log in to unmask]> 212-854-8689 > Systems Coordinator, Economics Department, Columbia University > Department Computing Resources: > http://www.columbia.edu/cu/economics/computing/ >