Re: Dynamically allow users with OpenSSH?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Peter and Jason, thanks for your replies on this.

I was able to accomplish this with a combination of Peter's solution
and setting "AuthorizedKeysFile none" as suggested in the Stack
Overflow question.

On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot@xxxxxxxx> wrote:
>
> why aren't the authorized keys/principals commands sufficient?
>
> $ getent group maybe-allow-these-users
> maybe-allow-these-users:x:111:user1,user2,user3,user4,user5...
>
> Match Group maybe-allow-these-users
>   AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
>   AuthorizedPincipalsCommandUser nobody
>
> $ cat /etc/ssh/allow_if_running_job
> #!/bin/sh
> ps auxgw | grep $1 && echo $1
>
> the AuthorizedKeysCommand could look like
>
> $ cat /etc/ssh/allow_if_running_job
> #!/bin/sh
> ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys
>
> replace ps auxgw with whatever command you run to find out if the user
> is running a job
>
> On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor@xxxxxxxxx> wrote:
> >
> > Hello, how can I dynamically allow or disallow users with OpenSSH? I
> > have some nodes that users can submit jobs to, and can optionally be
> > handed a session to the requested node. But I want to prevent them
> > from SSH-ing in to nodes unless they have a job running on that node.
> > My idea was to implement libssh's callback abilities and have a script
> > that checks the username against jobs running on the nodes to accept
> > or reject an incoming connection. However, after reading the manual, I
> > haven't found this capability. As I mentioned in this stack overflow
> > post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
> > sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
> > insufficient to accomplish this.
> >
> > Does OpenSSH have some sort of callback extensibility for dynamically
> > allowing or disallowing users based on an external script or file?
> > Thanks for your time.
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@xxxxxxxxxxx
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux