Only allow connections if file (or special condition) is present

Darren Tucker dtucker at zip.com.au
Sun Jul 15 15:50:10 EST 2012


On Sat, Jul 14, 2012 at 03:14:42PM +0200, Jörg Tobias Borgert wrote:
[...]
> I want to achieve that a connection to my server is only possible if I plug
> in e.g. an USB stick (which would contain the file) and is always rejected
> if that pseudo-hardware-switch isn't set.

I can't think of any way to directly implement this in sshd_config,
however:
 - if you platform has PAM, you could use something like
   "pam_listfile.so onerr=fail" or similar.
 - you could implement a cron job to stop or start sshd based on the
   presence or absence of your file, ie if the file is present and sshd
   not running then start it, and if the file is not present and sshd is
   running then stop it.

> My first idea was to symlink the host ceritifcate to
> /media/my-usb-stick/certificate-file, but that doesn't feel right.

if you mean the host keys then it'll also stop sshd from starting if the
files are not present at boot time.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list