Restrict service account from direct interactive sessions Post: 303024303

Sponsored Content

Top Forums UNIX for Advanced & Expert Users Restrict service account from direct interactive sessions Post 303024303 by bgstack15 on Friday 5th of October 2018 03:51:06 PM

10-05-2018

Registered User

I started a possible tool to watch the logs and deal with shell sessions, but it can be easily defeated with a ssh remoteserver /bin/bash.

Code:

#!/bin/sh
# startdate: 2018-10-05 13:20
# Purpose: if a service account user logs in interactively, then kill it.
# incomplete. Can be foiled with: ssh -t clonetest210 /bin/bash
# improve: how to retrieve log entries to check

# Sample journalctl output.
# Oct 05 13:12:52 clonetest210 sshd[1868]: Starting session: shell on pts/3 for bgstack15-local from 10.200.18.240 port 59349 id 0

# Dependencies: sshd_config LogLevel VERBOSE
# journalctl -f -u sshd is not sufficient. I cannot tell what unit logs the notice seen above.

BADUSERS="(bgstack15-local|prophetess)"

journalctl -n100 | grep -oE "sshd\[.{1,10}\]: Starting session: shell on .* for ${BADUSERS} from .*" | awk '{print $1,$6,$8,$10}' | while read longpid tty tu srcip ;
do
   pid="$( echo "${longpid}" | tr -dc "[:digit:]" )"
   echo "Found login: ${tu} from pid ${pid} from ip ${srcip} and made terminal ${tty}"

   # investigate that current pid. if it exists and is sshd, kill it
   psout="$( ps -e -o pid:9,ppid:9,user:15,command:90 2>/dev/null | awk "\$1 == $pid" )"
   if test -n "${psout}" && echo "${psout}" | grep -qE "sshd:" ;
   then
      echo "need to warn user ${tu} on tty ${tty} and then kill pid ${pid}"
      printf "\n%s\n" "Interactive sessions are not allowed for user ${tu}." > "/dev/${tty}"
      sleep 0
      kill "${pid}"
   fi
done

bgstack15

View Public Profile for bgstack15

Find all posts by bgstack15

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

How to restrict account to one log-in?

Our users have the tendency to use only one login account, to do their jobs. Obvious it�s a matter of training our users. But our internal audit team insists on restrictions from our system. So is there an option to restrict an account to only login once into the system? We use HP-UX 11.0. ...

2. Homework & Coursework Questions

Help with Interactive / Non Interactive Shell script

Q. Write a script that behaves both in interactive and non interactive mode. When no arguments are supplied it picks up each C program from the directory and prints first 10 lines. It then prompts for deletion of the file. If user supplies arguments with the script , then it works on those files...

3. Homework & Coursework Questions

How to write script that behaves both in interactive and non interactive mode

4. Solaris

Direct/scsu access to unix account

Hey Is there any way to differentiate if a user is logged directly into a UNIX functional account or if they have scsu'ed into the functional account? Cheers Paul

5. Shell Programming and Scripting

Manipulating sed Direct Input to Direct Output

Hi guys, been scratching round the forums and my mountain of resources. Maybe I havn't read deep enough My question is not how sed edits a stream and outputs it to a file, rather something like this below: I have a .txt with some text in it :rolleyes: abc:123:xyz 123:abc:987...

6. Red Hat

Su-only account with ssh capability and no interactive login

Hello experts, Is it possible to have an user account on RHEL 6.3 as a su-only account, but with ssh capability and no interactive login? Let me elaborate. Say, we have a cluster of 5 RHEL 6.3 servers and an user account (strmadmin) on each of the server as an su-only...

7. AIX

Can I restrict IP and AIX account at the same time?

Hi Everyone, I want to know is it possible, restrict user login to AIX by IP and user name? e.g. user alice can login to AIX (via ssh or telnet) from 192.168.1.100 user alice can not login to AIX (via ssh or telnet) from 172.16.1.100 user bob can not login to AIX (via ssh or telnet)...

8. AIX

Procedure to restrict direct access as root

Hello, I would like to confirm whether the below procedure is correct. disabled direct super user access on AIX server using below procedure. Please let me know if there is any additional step. 1) confirm the access to HMC, console to reach the LPARs 2) chuser rlogin=false root ...

9. UNIX for Beginners Questions & Answers

Allow AD service account SSH to Linux systems without 2FA

I have Windows AD server and all of the linux computers are joined to AD. Recently, 2FA has been activated, I wish to exclude some of the domain service accounts from 2FA # less /etc/pam_radius_acl.conf sshd:* # /etc/pam.d/sshd auth required pam_sepermit.so auth requisite...

LEARN ABOUT OPENSOLARIS

pam_deny

pam_deny(5)						Standards, Environments, and Macros					       pam_deny(5)

NAME

       pam_deny - PAM authentication, account, session and password management PAM module to deny operations

SYNOPSIS

       pam_deny.so.1

DESCRIPTION

       The pam_deny module implements all the PAM service module functions and returns the module type default failure return code for all calls.

       The following options are interpreted:

       debug	syslog(3C) debugging information at the LOG_AUTH|LOG_DEBUG levels

ERRORS

       The following error codes are returned:

       PAM_ACCT_EXPIRED    If pam_sm_acct_mgmt is called.

       PAM_AUTH_ERR	   If pam_sm_authenticate is called.

       PAM_AUTHOK_ERR	   If pam_sm_chauthtok is called.

       PAM_CRED_ERR	   If pam_sm_setcred is called.

       PAM_SESSION_ERR	   If pam_sm_open_session or pam_sm_close_session is called.

EXAMPLES

       Example 1 Disallowing ssh none authentication

	  sshd-none	 auth	    requisite	pam_deny.so.1
	  sshd-none	 account    requisite	pam_deny.so.1
	  sshd-none	 session    requisite	pam_deny.so.1
	  sshd-none	 password   requisite	pam_deny.so.1

       Example 2 Disallowing any service not explicitly defined

	  other 	 auth	    requisite	pam_deny.so.1
	  other 	 account    requisite	pam_deny.so.1
	  other 	 session    requisite	pam_deny.so.1
	  other 	 password   requisite	pam_deny.so.1

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe with exceptions	   |
       +-----------------------------+-----------------------------+

SEE ALSO

       su(1M), libpam(3LIB), pam(3PAM), pam_sm_authenticate(3PAM), syslog(3C), pam.conf(4), nsswitch.conf(4), attributes(5), pam_authtok_check(5),
       pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),  pam_unix_account(5),  pam_unix_auth(5),  pam_unix_session(5),
       privileges(5)

NOTES

       The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

       The  pam_deny  module  is intended to deny access to a specified service. The other service name may be used to deny access to services not
       explicitly specified.

SunOS 5.11							    16 Jun 2005 						       pam_deny(5)