Peter and Jason, thanks for your replies on this. I was able to accomplish this with a combination of Peter's solution and setting "AuthorizedKeysFile none" as suggested in the Stack Overflow question. On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote:> > why aren't the authorized keys/principals commands sufficient? > > $ getent group maybe-allow-these-users > maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... > > Match Group maybe-allow-these-users > AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u > AuthorizedPincipalsCommandUser nobody > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && echo $1 > > the AuthorizedKeysCommand could look like > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys > > replace ps auxgw with whatever command you run to find out if the user > is running a job > > On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote: > > > > Hello, how can I dynamically allow or disallow users with OpenSSH? I > > have some nodes that users can submit jobs to, and can optionally be > > handed a session to the requested node. But I want to prevent them > > from SSH-ing in to nodes unless they have a job running on that node. > > My idea was to implement libssh's callback abilities and have a script > > that checks the username against jobs running on the nodes to accept > > or reject an incoming connection. However, after reading the manual, I > > haven't found this capability. As I mentioned in this stack overflow > > post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > > sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > > insufficient to accomplish this. > > > > Does OpenSSH have some sort of callback extensibility for dynamically > > allowing or disallowing users based on an external script or file? > > Thanks for your time. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Just out of curiosity, what are you using to schedule jobs?? If it's something like Slurm, it has this capability through pam_slurm_adopt (or the older pam_slurm).? IIRC, several other batch job schedulers implement this kind of functionality too.? If you're using something different, then obviously you'll need to use one of the other approaches suggested on the list. Ryan On 03/07/2019 11:18 AM, Isaiah Taylor wrote:> Peter and Jason, thanks for your replies on this. > > I was able to accomplish this with a combination of Peter's solution > and setting "AuthorizedKeysFile none" as suggested in the Stack > Overflow question. > > On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote: >> why aren't the authorized keys/principals commands sufficient? >> >> $ getent group maybe-allow-these-users >> maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... >> >> Match Group maybe-allow-these-users >> AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u >> AuthorizedPincipalsCommandUser nobody >> >> $ cat /etc/ssh/allow_if_running_job >> #!/bin/sh >> ps auxgw | grep $1 && echo $1 >> >> the AuthorizedKeysCommand could look like >> >> $ cat /etc/ssh/allow_if_running_job >> #!/bin/sh >> ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys >> >> replace ps auxgw with whatever command you run to find out if the user >> is running a job >> >> On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote: >>> Hello, how can I dynamically allow or disallow users with OpenSSH? I >>> have some nodes that users can submit jobs to, and can optionally be >>> handed a session to the requested node. But I want to prevent them >>> from SSH-ing in to nodes unless they have a job running on that node. >>> My idea was to implement libssh's callback abilities and have a script >>> that checks the username against jobs running on the nodes to accept >>> or reject an incoming connection. However, after reading the manual, I >>> haven't found this capability. As I mentioned in this stack overflow >>> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), >>> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are >>> insufficient to accomplish this. >>> >>> Does OpenSSH have some sort of callback extensibility for dynamically >>> allowing or disallowing users based on an external script or file? >>> Thanks for your time. >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Ryan Cox Director Office of Research Computing Brigham Young University
Ryan, I'm using Torque/Maui. Thanks for the tip, it turns out there is already some plugin work around this (http://docs.adaptivecomputing.com/torque/3-0-5/3.4hostsecurity.php)! I'll look into that as an option as well. Isaiah On Thu, Mar 7, 2019 at 10:31 AM Ryan Cox <ryan_cox at byu.edu> wrote:> > Just out of curiosity, what are you using to schedule jobs? If it's > something like Slurm, it has this capability through pam_slurm_adopt (or > the older pam_slurm). IIRC, several other batch job schedulers > implement this kind of functionality too. If you're using something > different, then obviously you'll need to use one of the other approaches > suggested on the list. > > Ryan > > On 03/07/2019 11:18 AM, Isaiah Taylor wrote: > > Peter and Jason, thanks for your replies on this. > > > > I was able to accomplish this with a combination of Peter's solution > > and setting "AuthorizedKeysFile none" as suggested in the Stack > > Overflow question. > > > > On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote: > >> why aren't the authorized keys/principals commands sufficient? > >> > >> $ getent group maybe-allow-these-users > >> maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... > >> > >> Match Group maybe-allow-these-users > >> AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u > >> AuthorizedPincipalsCommandUser nobody > >> > >> $ cat /etc/ssh/allow_if_running_job > >> #!/bin/sh > >> ps auxgw | grep $1 && echo $1 > >> > >> the AuthorizedKeysCommand could look like > >> > >> $ cat /etc/ssh/allow_if_running_job > >> #!/bin/sh > >> ps auxgw | grep $1 && cat /home/$1/.ssh/authorized_keys > >> > >> replace ps auxgw with whatever command you run to find out if the user > >> is running a job > >> > >> On Wed, Mar 6, 2019 at 2:10 PM Isaiah Taylor <isaiah.p.taylor at gmail.com> wrote: > >>> Hello, how can I dynamically allow or disallow users with OpenSSH? I > >>> have some nodes that users can submit jobs to, and can optionally be > >>> handed a session to the requested node. But I want to prevent them > >>> from SSH-ing in to nodes unless they have a job running on that node. > >>> My idea was to implement libssh's callback abilities and have a script > >>> that checks the username against jobs running on the nodes to accept > >>> or reject an incoming connection. However, after reading the manual, I > >>> haven't found this capability. As I mentioned in this stack overflow > >>> post (https://stackoverflow.com/questions/55011729/how-to-dynamically-allow-users-in-openssh), > >>> sshd_config:AllowUsers and sshd_config:AuthorizedKeysCommand are > >>> insufficient to accomplish this. > >>> > >>> Does OpenSSH have some sort of callback extensibility for dynamically > >>> allowing or disallowing users based on an external script or file? > >>> Thanks for your time. > >>> _______________________________________________ > >>> openssh-unix-dev mailing list > >>> openssh-unix-dev at mindrot.org > >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > Ryan Cox > Director > Office of Research Computing > Brigham Young University >