Peter and Jason, thanks for your replies on this. I was able to accomplish this with a combination of Peter's solution and setting "AuthorizedKeysFile none" as suggested in the Stack Overflow question. On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot@xxxxxxxx> wrote: > > why aren't the authorized keys/principals commands sufficient? > > $ getent group maybe-allow-these-users > maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... > > Match Group maybe-allow-these-users > AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u > AuthorizedPincipalsCommandUser nobody > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && echo $1 > > the AuthorizedKeysCommand could look like > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys > > replace ps auxgw with whatever command you run to find out if the user > is running a job > > On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor@xxxxxxxxx> wrote: > > > > Hello, how can I dynamically allow or disallow users with OpenSSH? I > > have some nodes that users can submit jobs to, and can optionally be > > handed a session to the requested node. But I want to prevent them > > from SSH-ing in to nodes unless they have a job running on that node. > > My idea was to implement libssh's callback abilities and have a script > > that checks the username against jobs running on the nodes to accept > > or reject an incoming connection. However, after reading the manual, I > > haven't found this capability. As I mentioned in this stack overflow > > post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > > sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > > insufficient to accomplish this. > > > > Does OpenSSH have some sort of callback extensibility for dynamically > > allowing or disallowing users based on an external script or file? > > Thanks for your time. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev