Only allow connections if file (or special condition) is present

Philipp Marek philipp.marek at linbit.com
Sun Jul 15 22:15:38 EST 2012


> > I want to achieve that a connection to my server is only possible if I
> > plug in e.g. an USB stick (which would contain the file) and is always
> > rejected if that pseudo-hardware-switch isn't set.
> 
> I can't think of any way to directly implement this in sshd_config,
> however:
>  - if you platform has PAM, you could use something like
>    "pam_listfile.so onerr=fail" or similar.
>  - you could implement a cron job to stop or start sshd based on the
>    presence or absence of your file, ie if the file is present and sshd
>    not running then start it, and if the file is not present and sshd is
>    running then stop it.
Better than a cron job is a udev script; just trigger for the specific FS 
UUID, and then start/stop SSHD.


> > My first idea was to symlink the host ceritifcate to
> > /media/my-usb-stick/certificate-file, but that doesn't feel right.
> 
> if you mean the host keys then it'll also stop sshd from starting if the
> files are not present at boot time.
You could put the host keys on the USB stick, and when plugging-in mount, 
start SSHD and umount again.


Regards,

Phil


More information about the openssh-unix-dev mailing list