Ryan, I'm using Torque/Maui. Thanks for the tip, it turns out there is already some plugin work around this (http://docs.adaptivecomputing.com/torque/3-0-5/3.4hostsecurity.php)! I'll look into that as an option as well. Isaiah On Thu, Mar 7, 2019 at 10:31 AM Ryan Cox <ryan_cox@xxxxxxx> wrote: > > Just out of curiosity, what are you using to schedule jobs? If it's > something like Slurm, it has this capability through pam_slurm_adopt (or > the older pam_slurm). IIRC, several other batch job schedulers > implement this kind of functionality too. If you're using something > different, then obviously you'll need to use one of the other approaches > suggested on the list. > > Ryan > > On 03/07/2019 11:18 AM, Isaiah Taylor wrote: > > Peter and Jason, thanks for your replies on this. > > > > I was able to accomplish this with a combination of Peter's solution > > and setting "AuthorizedKeysFile none" as suggested in the Stack > > Overflow question. > > > > On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot@xxxxxxxx> wrote: > >> why aren't the authorized keys/principals commands sufficient? > >> > >> $ getent group maybe-allow-these-users > >> maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... > >> > >> Match Group maybe-allow-these-users > >> AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u > >> AuthorizedPincipalsCommandUser nobody > >> > >> $ cat /etc/ssh/allow_if_running_job > >> #!/bin/sh > >> ps auxgw | grep $1 && echo $1 > >> > >> the AuthorizedKeysCommand could look like > >> > >> $ cat /etc/ssh/allow_if_running_job > >> #!/bin/sh > >> ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys > >> > >> replace ps auxgw with whatever command you run to find out if the user > >> is running a job > >> > >> On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor@xxxxxxxxx> wrote: > >>> Hello, how can I dynamically allow or disallow users with OpenSSH? I > >>> have some nodes that users can submit jobs to, and can optionally be > >>> handed a session to the requested node. But I want to prevent them > >>> from SSH-ing in to nodes unless they have a job running on that node. > >>> My idea was to implement libssh's callback abilities and have a script > >>> that checks the username against jobs running on the nodes to accept > >>> or reject an incoming connection. However, after reading the manual, I > >>> haven't found this capability. As I mentioned in this stack overflow > >>> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > >>> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > >>> insufficient to accomplish this. > >>> > >>> Does OpenSSH have some sort of callback extensibility for dynamically > >>> allowing or disallowing users based on an external script or file? > >>> Thanks for your time. > >>> _______________________________________________ > >>> openssh-unix-dev mailing list > >>> openssh-unix-dev@xxxxxxxxxxx > >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > Ryan Cox > Director > Office of Research Computing > Brigham Young University > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev