Only allow connections if file (or special condition) is present
philipp.marek at linbit.com
Sun Jul 15 22:15:38 EST 2012
> > I want to achieve that a connection to my server is only possible if I
> > plug in e.g. an USB stick (which would contain the file) and is always
> > rejected if that pseudo-hardware-switch isn't set.
> I can't think of any way to directly implement this in sshd_config,
> - if you platform has PAM, you could use something like
> "pam_listfile.so onerr=fail" or similar.
> - you could implement a cron job to stop or start sshd based on the
> presence or absence of your file, ie if the file is present and sshd
> not running then start it, and if the file is not present and sshd is
> running then stop it.
Better than a cron job is a udev script; just trigger for the specific FS
UUID, and then start/stop SSHD.
> > My first idea was to symlink the host ceritifcate to
> > /media/my-usb-stick/certificate-file, but that doesn't feel right.
> if you mean the host keys then it'll also stop sshd from starting if the
> files are not present at boot time.
You could put the host keys on the USB stick, and when plugging-in mount,
start SSHD and umount again.
More information about the openssh-unix-dev