Dynamically allow users with OpenSSH?
Isaiah Taylor
isaiah.p.taylor at gmail.com
Fri Mar 8 06:02:37 AEDT 2019
Ryan, I'm using Torque/Maui. Thanks for the tip, it turns out there is
already some plugin work around this
(http://docs.adaptivecomputing.com/torque/3-0-5/3.4hostsecurity.php)!
I'll look into that as an option as well. Isaiah
On Thu, Mar 7, 2019 at 10:31 AM Ryan Cox <ryan_cox at byu.edu> wrote:
>
> Just out of curiosity, what are you using to schedule jobs? If it's
> something like Slurm, it has this capability through pam_slurm_adopt (or
> the older pam_slurm). IIRC, several other batch job schedulers
> implement this kind of functionality too. If you're using something
> different, then obviously you'll need to use one of the other approaches
> suggested on the list.
>
> Ryan
>
> On 03/07/2019 11:18 AM, Isaiah Taylor wrote:
> > Peter and Jason, thanks for your replies on this.
> >
> > I was able to accomplish this with a combination of Peter's solution
> > and setting "AuthorizedKeysFile none" as suggested in the Stack
> > Overflow question.
> >
> > On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote:
> >> why aren't the authorized keys/principals commands sufficient?
> >>
> >> $ getent group maybe-allow-these-users
> >> maybe-allow-these-users:x:111:user1,user2,user3,user4,user5...
> >>
> >> Match Group maybe-allow-these-users
> >> AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
> >> AuthorizedPincipalsCommandUser nobody
> >>
> >> $ cat /etc/ssh/allow_if_running_job
> >> #!/bin/sh
> >> ps auxgw | grep $1 && echo $1
> >>
> >> the AuthorizedKeysCommand could look like
> >>
> >> $ cat /etc/ssh/allow_if_running_job
> >> #!/bin/sh
> >> ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys
> >>
> >> replace ps auxgw with whatever command you run to find out if the user
> >> is running a job
> >>
> >> On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote:
> >>> Hello, how can I dynamically allow or disallow users with OpenSSH? I
> >>> have some nodes that users can submit jobs to, and can optionally be
> >>> handed a session to the requested node. But I want to prevent them
> >>> from SSH-ing in to nodes unless they have a job running on that node.
> >>> My idea was to implement libssh's callback abilities and have a script
> >>> that checks the username against jobs running on the nodes to accept
> >>> or reject an incoming connection. However, after reading the manual, I
> >>> haven't found this capability. As I mentioned in this stack overflow
> >>> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
> >>> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
> >>> insufficient to accomplish this.
> >>>
> >>> Does OpenSSH have some sort of callback extensibility for dynamically
> >>> allowing or disallowing users based on an external script or file?
> >>> Thanks for your time.
> >>> _______________________________________________
> >>> openssh-unix-dev mailing list
> >>> openssh-unix-dev at mindrot.org
> >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> --
> Ryan Cox
> Director
> Office of Research Computing
> Brigham Young University
>
More information about the openssh-unix-dev
mailing list