Dynamically allow users with OpenSSH?

Peter Moody mindrot at hda3.com
Thu Mar 7 09:29:52 AEDT 2019

why aren't the authorized keys/principals commands sufficient?

$ getent group maybe-allow-these-users

Match Group maybe-allow-these-users
  AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
  AuthorizedPincipalsCommandUser nobody

$ cat /etc/ssh/allow_if_running_job
ps auxgw | grep $1 && echo $1

the AuthorizedKeysCommand could look like

$ cat /etc/ssh/allow_if_running_job
ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys

replace ps auxgw with whatever command you run to find out if the user
is running a job

On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote:
> Hello, how can I dynamically allow or disallow users with OpenSSH? I
> have some nodes that users can submit jobs to, and can optionally be
> handed a session to the requested node. But I want to prevent them
> from SSH-ing in to nodes unless they have a job running on that node.
> My idea was to implement libssh's callback abilities and have a script
> that checks the username against jobs running on the nodes to accept
> or reject an incoming connection. However, after reading the manual, I
> haven't found this capability. As I mentioned in this stack overflow
> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
> insufficient to accomplish this.
> Does OpenSSH have some sort of callback extensibility for dynamically
> allowing or disallowing users based on an external script or file?
> Thanks for your time.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list