I started a possible tool to watch the logs and deal with shell sessions, but it can be easily defeated with a ssh remoteserver /bin/bash.
Code:
#!/bin/sh
# startdate: 2018-10-05 13:20
# Purpose: if a service account user logs in interactively, then kill it.
# incomplete. Can be foiled with: ssh -t clonetest210 /bin/bash
# improve: how to retrieve log entries to check
# Sample journalctl output.
# Oct 05 13:12:52 clonetest210 sshd[1868]: Starting session: shell on pts/3 for bgstack15-local from 10.200.18.240 port 59349 id 0
# Dependencies: sshd_config LogLevel VERBOSE
# journalctl -f -u sshd is not sufficient. I cannot tell what unit logs the notice seen above.
BADUSERS="(bgstack15-local|prophetess)"
journalctl -n100 | grep -oE "sshd\[.{1,10}\]: Starting session: shell on .* for ${BADUSERS} from .*" | awk '{print $1,$6,$8,$10}' | while read longpid tty tu srcip ;
do
pid="$( echo "${longpid}" | tr -dc "[:digit:]" )"
echo "Found login: ${tu} from pid ${pid} from ip ${srcip} and made terminal ${tty}"
# investigate that current pid. if it exists and is sshd, kill it
psout="$( ps -e -o pid:9,ppid:9,user:15,command:90 2>/dev/null | awk "\$1 == $pid" )"
if test -n "${psout}" && echo "${psout}" | grep -qE "sshd:" ;
then
echo "need to warn user ${tu} on tty ${tty} and then kill pid ${pid}"
printf "\n%s\n" "Interactive sessions are not allowed for user ${tu}." > "/dev/${tty}"
sleep 0
kill "${pid}"
fi
done
Our users have the tendency to use only one login account, to do their jobs. Obvious itīs a matter of training our users. But our internal audit team insists on restrictions from our system.
So is there an option to restrict an account to only login once into the system?
We use HP-UX 11.0.
... (0 Replies)
Q. Write a script that behaves both in interactive and non interactive mode. When no arguments are supplied it picks up each C program from the directory and prints first 10 lines.
It then prompts for deletion of the file.
If user supplies arguments with the script , then it works on those files... (1 Reply)
Q. Write a script that behaves both in interactive and non interactive mode. When no arguments are supplied it picks up each C program from the directory and prints first 10 lines.
It then prompts for deletion of the file.
If user supplies arguments with the script , then it works on those files... (8 Replies)
Hey
Is there any way to differentiate if a user is logged directly into a UNIX functional account or if they have scsu'ed into the functional account?
Cheers
Paul (2 Replies)
Hi guys,
been scratching round the forums and my mountain of resources.
Maybe I havn't read deep enough
My question is not how sed edits a stream and outputs it to a file, rather something like this below:
I have a .txt with some text in it :rolleyes:
abc:123:xyz
123:abc:987... (7 Replies)
Hello experts,
Is it possible to have an user account on RHEL 6.3 as a su-only account, but with ssh capability and no interactive login? Let me elaborate.
Say, we have a cluster of 5 RHEL 6.3 servers and an user account (strmadmin) on each of the server as an su-only... (1 Reply)
Hi Everyone,
I want to know is it possible, restrict user login to AIX by IP and user name?
e.g.
user alice can login to AIX (via ssh or telnet) from 192.168.1.100
user alice can not login to AIX (via ssh or telnet) from 172.16.1.100
user bob can not login to AIX (via ssh or telnet)... (6 Replies)
Hello,
I would like to confirm whether the below procedure is correct.
disabled direct super user access on AIX server using below procedure. Please let me know if there is any additional step.
1) confirm the access to HMC, console to reach the LPARs
2) chuser rlogin=false root
... (3 Replies)
I have Windows AD server and all of the linux computers are joined to AD.
Recently, 2FA has been activated, I wish to exclude some of the domain service accounts from 2FA
# less /etc/pam_radius_acl.conf
sshd:*
# /etc/pam.d/sshd
auth required pam_sepermit.so
auth requisite... (0 Replies)
Discussion started by: davidpar007
0 Replies
LEARN ABOUT LINUX
pam_deny
PAM_DENY(8) Linux-PAM Manual PAM_DENY(8)NAME
pam_deny - The locking-out PAM module
SYNOPSIS
pam_deny.so
DESCRIPTION
This module can be used to deny access. It always indicates a failure to the application through the PAM framework. It might be suitable
for using for default (the OTHER) entries.
OPTIONS
This module does not recognise any options.
MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided.
RETURN VALUES
PAM_AUTH_ERR
This is returned by the account and auth services.
PAM_CRED_ERR
This is returned by the setcred function.
PAM_AUTHTOK_ERR
This is returned by the password service.
PAM_SESSION_ERR
This is returned by the session service.
EXAMPLES
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
SEE ALSO pam.conf(5), pam.d(5), pam(7)AUTHOR
pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
Linux-PAM Manual 06/04/2011 PAM_DENY(8)