Single user login (session) on sshd.

Hello all,

How can i do on freebsd or openssh that user can login only once
at the same time? If user can login the system, the other person
who knows the username and password can`t login (at the same time) when the user session active.

One user may login one time, may be in FreeBSD/login.conf or
sshd_config.

Any idea please,

Regards,

ustuntas
 
Use public/private keys with passwords. That way that 'other' user must also have the private key before s/he can login.
 
Yes,

That is the one way, but users are not familiar with this. They
are use the ssh login with differen locations and there is no
any computer their own.

I googled and find some issues that pam_limits.so with ssh but,
there is no pam_limits pam module in FreeBSD.

Any Idea,
 
Are these employees? If so do you have a security policy?

If not make one. Have it state that username/passwords are STRICLY PERSONAL. Under no circumstances are you allowed to share your passwords with anyone. Make everyone sign it. Add it to the standard contract for new employees.

I'll guarantee you password sharing will stop once you've fired a couple of people for breaching the contract.
 
They are not employees. You are right.

But, we want to make that is a security project.

Regards,

ustuntas
 
Hello again,

I searched the pam_limits and it is just i want. How can i
configure this pam module on FreeBSD. Is there any way?

Regards,

ustuntas
 
It's far away from ideal solution, but I would write a simple wrapper around user's shell to limit access to just one. Something like:

Code:
#!/bin/sh

if who | awk '{ print $1 }' | fgrep -q `whoami`
then
  exit 1
else
  /bin/tcsh
fi

an force this command in [font="Courier New"]/etc/ssh/sshd_config[/font]:

Code:
Match User someuser
    ForceCommand /usr/local/bin/wrapper
 
Hello again,

This solution didn`t run for me. I have done the following
steps

Code:
# vi /etc/sshd/sshd_config
 >> Match User remoteuser
    ForceCommand /bin/sshd_wrapper
then,
# vi /bin/sshd_wrapper
 >>
 #!/bin/sh
 if who | awk '{ print $1 }' | fgrep -q `whoami`
 then
   exit 1
 else
   /bin/tcsh
 fi
# chmod +x /bin/sshd_wrapper
# /etc/rc.d/sshd restart

Then, user can login twice at the same time :(

Regards,

ustuntas
 
Code:
 #!/bin/sh
 if who | awk '{ print $1 }' | fgrep -q `whoami`

This will always match ;) The user logging in is executing this wrapper in /bin/sh -- so he's already logged in according to who.

Wrapper run with -xv:
Code:
Password:
#!/bin/sh -xv
 if who | awk '{ print $1 }' | fgrep `whoami`
 then
   exit 1
 else
   /bin/tcsh
 fi
+ who
+ awk '{ print $1 }'
+ whoami
+ fgrep testuser
testuser
+ exit 1

So logging in is not allowed at all. You'll have to use a counter here ..
 
I changed the sshd_wrapper as you say, but my problem is still same. ?

Please, what is my wrong point?

Regards,

ustuntas
 
I don't know what you changed. Put
Code:
#!/bin/sh -xv
at the top of the wrapper script, and log into the server from another location (using command-line ssh) and watch the output on the screen.
 
DutchDaemon said:
Code:
 #!/bin/sh
 if who | awk '{ print $1 }' | fgrep -q `whoami`

This will always match ;) The user logging in is executing this wrapper in /bin/sh -- so he's already logged in according to who.

Aghhh.... this will do better:

Code:
#!/bin/sh

if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
 fi
 
Yes, i have added -xv at the top of script like

Code:
#!/bin/sh -xv

if who | awk '{ print $1 }' | fgrep `whoami`
then
  exit 1
else
  /bin/tcsh
fi

Then, my user can loggin twice at the same time. :(
 
ustuntas said:
Yes, i have added -xv at the top of script like

Code:
#!/bin/sh -xv

if who | awk '{ print $1 }' | fgrep `whoami`
then
  exit 1
else
  /bin/tcsh
fi

Then, my user can loggin twice at the same time. :(

Try script in post #13 and be sure to restart sshd (if you didn't after changing sshd_config).
 
Hello again,

I have changed the my /bin/sshd_wrapper as follows
Code:
#!/bin/sh -xv

if remoteuser `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi

And restarting the sshd. But the user can loggin more
than one at the same time. When i run the wrapper on
the shell after two same user loggin,

Code:
#!/bin/sh -xv

if remoteuser `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
+ who
+ awk { print $1 }
+ whoami
+ wc -l
+ fgrep remoteuser
+ remoteuser 2 -gt 1
remoteuser: not found
+ /bin/tcsh

Problem is still same! :(

ustuntas
 
ustuntas said:
Hello again,

I have changed the my /bin/sshd_wrapper as follows
Code:
#!/bin/sh -xv

if remoteuser `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi

Problem is still same! :(

ustuntas

The "[font="Courier New"]test[/font]" word in script is not a user name but command test. So the line should be:

Code:
if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 
Ok. So sorry my mistake. I changed the /bin/sshd_wrapper as you say
Code:
#!/bin/sh -xv

if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
and restarted sshd again. But problem still same. When running the script on the shell as follows. Scrip running correctly i
thing but user couldnt exit the shell.
Code:
#!/bin/sh -xv

if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
+ who
+ awk { print $1 }
+ whoami
+ wc -l
+ fgrep remoteuser
+ test 3 -gt 1
+ exit 1
 
What do you mean by 'couldn't exit the shell'?

This shows that this particular login would have failed:

Code:
+ exit 1
 
Back Again.

I mean that the second user can still access the shell at the same time - first user still in the shell.
But, i dont want to loggin the second user ( the user do not access the shell)

The script may run correctly but secont user can access the
shell :(

What am i wrong?

ustuntas
 
[solved]

Hello all,

There is a big mistake for me. I solve the problem. I mixed up my
config files so wrapper wasn`t run. But, i changed the config files
and wrapper was running correctly.

I want to thank all guys for answering..

Regards,

ustuntas
 
Back
Top