Dynamically allow users with OpenSSH?

Ryan Cox ryan_cox at byu.edu
Fri Mar 8 05:31:01 AEDT 2019

Just out of curiosity, what are you using to schedule jobs?  If it's 
something like Slurm, it has this capability through pam_slurm_adopt (or 
the older pam_slurm).  IIRC, several other batch job schedulers 
implement this kind of functionality too.  If you're using something 
different, then obviously you'll need to use one of the other approaches 
suggested on the list.


On 03/07/2019 11:18 AM, Isaiah Taylor wrote:
> Peter and Jason, thanks for your replies on this.
> I was able to accomplish this with a combination of Peter's solution
> and setting "AuthorizedKeysFile none" as suggested in the Stack
> Overflow question.
> On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote:
>> why aren't the authorized keys/principals commands sufficient?
>> $ getent group maybe-allow-these-users
>> maybe-allow-these-users:x:111:user1,user2,user3,user4,user5...
>> Match Group maybe-allow-these-users
>>    AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
>>    AuthorizedPincipalsCommandUser nobody
>> $ cat /etc/ssh/allow_if_running_job
>> #!/bin/sh
>> ps auxgw | grep $1 && echo $1
>> the AuthorizedKeysCommand could look like
>> $ cat /etc/ssh/allow_if_running_job
>> #!/bin/sh
>> ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys
>> replace ps auxgw with whatever command you run to find out if the user
>> is running a job
>> On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote:
>>> Hello, how can I dynamically allow or disallow users with OpenSSH? I
>>> have some nodes that users can submit jobs to, and can optionally be
>>> handed a session to the requested node. But I want to prevent them
>>> from SSH-ing in to nodes unless they have a job running on that node.
>>> My idea was to implement libssh's callback abilities and have a script
>>> that checks the username against jobs running on the nodes to accept
>>> or reject an incoming connection. However, after reading the manual, I
>>> haven't found this capability. As I mentioned in this stack overflow
>>> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
>>> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
>>> insufficient to accomplish this.
>>> Does OpenSSH have some sort of callback extensibility for dynamically
>>> allowing or disallowing users based on an external script or file?
>>> Thanks for your time.
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Ryan Cox
Office of Research Computing
Brigham Young University

More information about the openssh-unix-dev mailing list