Re: Dynamically allow users with OpenSSH?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Just out of curiosity, what are you using to schedule jobs?  If it's something like Slurm, it has this capability through pam_slurm_adopt (or the older pam_slurm).  IIRC, several other batch job schedulers implement this kind of functionality too.  If you're using something different, then obviously you'll need to use one of the other approaches suggested on the list.

Ryan

On 03/07/2019 11:18 AM, Isaiah Taylor wrote:
Peter and Jason, thanks for your replies on this.

I was able to accomplish this with a combination of Peter's solution
and setting "AuthorizedKeysFile none" as suggested in the Stack
Overflow question.

On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot@xxxxxxxx> wrote:
why aren't the authorized keys/principals commands sufficient?

$ getent group maybe-allow-these-users
maybe-allow-these-users:x:111:user1,user2,user3,user4,user5...

Match Group maybe-allow-these-users
   AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u
   AuthorizedPincipalsCommandUser nobody

$ cat /etc/ssh/allow_if_running_job
#!/bin/sh
ps auxgw | grep $1 && echo $1

the AuthorizedKeysCommand could look like

$ cat /etc/ssh/allow_if_running_job
#!/bin/sh
ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys

replace ps auxgw with whatever command you run to find out if the user
is running a job

On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor@xxxxxxxxx> wrote:
Hello, how can I dynamically allow or disallow users with OpenSSH? I
have some nodes that users can submit jobs to, and can optionally be
handed a session to the requested node. But I want to prevent them
from SSH-ing in to nodes unless they have a job running on that node.
My idea was to implement libssh's callback abilities and have a script
that checks the username against jobs running on the nodes to accept
or reject an incoming connection. However, after reading the manual, I
haven't found this capability. As I mentioned in this stack overflow
post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh),
sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are
insufficient to accomplish this.

Does OpenSSH have some sort of callback extensibility for dynamically
allowing or disallowing users based on an external script or file?
Thanks for your time.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Ryan Cox
Director
Office of Research Computing
Brigham Young University

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux