Dynamically allow users with OpenSSH?
Peter Moody
mindrot at hda3.com
Thu Mar 7 09:29:52 AEDT 2019
why aren't the authorized keys/principals commands sufficient?
$ getent group maybe-allow-these-users
maybe-allow-these-users:x:111:user1,user2,user3,user4,user5...
Match Group maybe-allow-these-users
AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
AuthorizedPincipalsCommandUser nobody
$ cat /etc/ssh/allow_if_running_job
#!/bin/sh
ps auxgw | grep $1 && echo $1
the AuthorizedKeysCommand could look like
$ cat /etc/ssh/allow_if_running_job
#!/bin/sh
ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys
replace ps auxgw with whatever command you run to find out if the user
is running a job
On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote:
>
> Hello, how can I dynamically allow or disallow users with OpenSSH? I
> have some nodes that users can submit jobs to, and can optionally be
> handed a session to the requested node. But I want to prevent them
> from SSH-ing in to nodes unless they have a job running on that node.
> My idea was to implement libssh's callback abilities and have a script
> that checks the username against jobs running on the nodes to accept
> or reject an incoming connection. However, after reading the manual, I
> haven't found this capability. As I mentioned in this stack overflow
> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
> insufficient to accomplish this.
>
> Does OpenSSH have some sort of callback extensibility for dynamically
> allowing or disallowing users based on an external script or file?
> Thanks for your time.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list