Jörg Tobias Borgert
2012-Jul-14 13:14 UTC
Only allow connections if file (or special condition) is present
Hello! I was wondering if it possible now (or possible to implement something like that in the future) that the daemon does only accept connections if a specific file is present at the moment of the connection request. I want to achieve that a connection to my server is only possible if I plug in e.g. an USB stick (which would contain the file) and is always rejected if that pseudo-hardware-switch isn't set. My first idea was to symlink the host ceritifcate to /media/my-usb-stick/certificate-file, but that doesn't feel right. Thank you very much, Tobias
Darren Tucker
2012-Jul-15 05:50 UTC
Only allow connections if file (or special condition) is present
On Sat, Jul 14, 2012 at 03:14:42PM +0200, J?rg Tobias Borgert wrote: [...]> I want to achieve that a connection to my server is only possible if I plug > in e.g. an USB stick (which would contain the file) and is always rejected > if that pseudo-hardware-switch isn't set.I can't think of any way to directly implement this in sshd_config, however: - if you platform has PAM, you could use something like "pam_listfile.so onerr=fail" or similar. - you could implement a cron job to stop or start sshd based on the presence or absence of your file, ie if the file is present and sshd not running then start it, and if the file is not present and sshd is running then stop it.> My first idea was to symlink the host ceritifcate to > /media/my-usb-stick/certificate-file, but that doesn't feel right.if you mean the host keys then it'll also stop sshd from starting if the files are not present at boot time. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Tobias Borgert
2012-Jul-16 17:51 UTC
Only allow connections if file (or special condition) is present
> Better than a cron job is a udev script; just trigger for the specific FS > UUID, and then start/stop SSHD.Thank you all! I'll first try the udev script. If there is interest, I can post whether it worked or not and how I maded it. But it might take until the weekend until I find time for this. Thank you very much!