Just out of curiosity, what are you using to schedule jobs? If it's
something like Slurm, it has this capability through pam_slurm_adopt (or
the older pam_slurm). IIRC, several other batch job schedulers
implement this kind of functionality too. If you're using something
different, then obviously you'll need to use one of the other approaches
suggested on the list.
Ryan
On 03/07/2019 11:18 AM, Isaiah Taylor wrote:
Peter and Jason, thanks for your replies on this.
I was able to accomplish this with a combination of Peter's solution
and setting "AuthorizedKeysFile none" as suggested in the Stack
Overflow question.
On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot@xxxxxxxx> wrote:
why aren't the authorized keys/principals commands sufficient?
$ getent group maybe-allow-these-users
maybe-allow-these-users:x:111:user1,user2,user3,user4,user5...
Match Group maybe-allow-these-users
AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
AuthorizedPincipalsCommandUser nobody
$ cat /etc/ssh/allow_if_running_job
#!/bin/sh
ps auxgw | grep $1 && echo $1
the AuthorizedKeysCommand could look like
$ cat /etc/ssh/allow_if_running_job
#!/bin/sh
ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys
replace ps auxgw with whatever command you run to find out if the user
is running a job
On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor@xxxxxxxxx> wrote:
Hello, how can I dynamically allow or disallow users with OpenSSH? I
have some nodes that users can submit jobs to, and can optionally be
handed a session to the requested node. But I want to prevent them
from SSH-ing in to nodes unless they have a job running on that node.
My idea was to implement libssh's callback abilities and have a script
that checks the username against jobs running on the nodes to accept
or reject an incoming connection. However, after reading the manual, I
haven't found this capability. As I mentioned in this stack overflow
post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
insufficient to accomplish this.
Does OpenSSH have some sort of callback extensibility for dynamically
allowing or disallowing users based on an external script or file?
Thanks for your time.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Ryan Cox
Director
Office of Research Computing
Brigham Young University
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
