Hello, how can I dynamically allow or disallow users with OpenSSH? I have some nodes that users can submit jobs to, and can optionally be handed a session to the requested node. But I want to prevent them from SSH-ing in to nodes unless they have a job running on that node. My idea was to implement libssh's callback abilities and have a script that checks the username against jobs running on the nodes to accept or reject an incoming connection. However, after reading the manual, I haven't found this capability. As I mentioned in this stack overflow post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are insufficient to accomplish this. Does OpenSSH have some sort of callback extensibility for dynamically allowing or disallowing users based on an external script or file? Thanks for your time.
why aren't the authorized keys/principals commands sufficient? $ getent group maybe-allow-these-users maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... Match Group maybe-allow-these-users AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u AuthorizedPincipalsCommandUser nobody $ cat /etc/ssh/allow_if_running_job #!/bin/sh ps auxgw | grep $1 && echo $1 the AuthorizedKeysCommand could look like $ cat /etc/ssh/allow_if_running_job #!/bin/sh ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys replace ps auxgw with whatever command you run to find out if the user is running a job On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote:> > Hello, how can I dynamically allow or disallow users with OpenSSH? I > have some nodes that users can submit jobs to, and can optionally be > handed a session to the requested node. But I want to prevent them > from SSH-ing in to nodes unless they have a job running on that node. > My idea was to implement libssh's callback abilities and have a script > that checks the username against jobs running on the nodes to accept > or reject an incoming connection. However, after reading the manual, I > haven't found this capability. As I mentioned in this stack overflow > post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > insufficient to accomplish this. > > Does OpenSSH have some sort of callback extensibility for dynamically > allowing or disallowing users based on an external script or file? > Thanks for your time. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>> "IT" == Isaiah Taylor <isaiah.p.taylor at gmail.com> writes:IT> Does OpenSSH have some sort of callback extensibility for IT> dynamically allowing or disallowing users based on an external IT> script or file? Seems more like the kind of thing you'd do through the PAM stack, assuming your OS has that. pam_script seems directly on point if you want to make decisions based on arbitrary scripting. Needless to say, PAM can be baroque and is part of the attack surface, so significant care is warranted. - J<
Peter and Jason, thanks for your replies on this. I was able to accomplish this with a combination of Peter's solution and setting "AuthorizedKeysFile none" as suggested in the Stack Overflow question. On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote:> > why aren't the authorized keys/principals commands sufficient? > > $ getent group maybe-allow-these-users > maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... > > Match Group maybe-allow-these-users > AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u > AuthorizedPincipalsCommandUser nobody > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && echo $1 > > the AuthorizedKeysCommand could look like > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys > > replace ps auxgw with whatever command you run to find out if the user > is running a job > > On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote: > > > > Hello, how can I dynamically allow or disallow users with OpenSSH? I > > have some nodes that users can submit jobs to, and can optionally be > > handed a session to the requested node. But I want to prevent them > > from SSH-ing in to nodes unless they have a job running on that node. > > My idea was to implement libssh's callback abilities and have a script > > that checks the username against jobs running on the nodes to accept > > or reject an incoming connection. However, after reading the manual, I > > haven't found this capability. As I mentioned in this stack overflow > > post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > > sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > > insufficient to accomplish this. > > > > Does OpenSSH have some sort of callback extensibility for dynamically > > allowing or disallowing users based on an external script or file? > > Thanks for your time. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Possibly Parallel Threads
- Dynamically allow users with OpenSSH?
- [Bug 3574] New: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
- OpenSSH Certificate Extensions
- Call for testing: OpenSSH 9.4
- [Bug 2081] New: extend the parameters to the AuthorizedKeysCommand