why aren't the authorized keys/principals commands sufficient? $ getent group maybe-allow-these-users maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... Match Group maybe-allow-these-users AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u AuthorizedPincipalsCommandUser nobody $ cat /etc/ssh/allow_if_running_job #!/bin/sh ps auxgw | grep $1 && echo $1 the AuthorizedKeysCommand could look like $ cat /etc/ssh/allow_if_running_job #!/bin/sh ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys replace ps auxgw with whatever command you run to find out if the user is running a job On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor@xxxxxxxxx> wrote: > > Hello, how can I dynamically allow or disallow users with OpenSSH? I > have some nodes that users can submit jobs to, and can optionally be > handed a session to the requested node. But I want to prevent them > from SSH-ing in to nodes unless they have a job running on that node. > My idea was to implement libssh's callback abilities and have a script > that checks the username against jobs running on the nodes to accept > or reject an incoming connection. However, after reading the manual, I > haven't found this capability. As I mentioned in this stack overflow > post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > insufficient to accomplish this. > > Does OpenSSH have some sort of callback extensibility for dynamically > allowing or disallowing users based on an external script or file? > Thanks for your time. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev