topic Re: How to restrict concurrent user login? in Operating System - HP-UX

How to restrict concurrent user login?

Harry Yu — Thu, 16 Jan 2003 00:07:22 GMT

I've HP-UX 9000 10.2 here and I'm new to UNIX in general.
I'm trying to restrict users from logging in more than one or two concurrent sessions. How can I do that? Someone told me to go to /etc/default/security, but I don't find security in /etc/default. Please help.

Re: How to restrict concurrent user login?

avsrini — Thu, 16 Jan 2003 00:29:32 GMT

Hi,
You can do this, from SAM if your system is trusted.

Or create a file
/etc/default/security with root as owner and 644 permission.

Add a line

NUMBER_OF_LOGINS_ALLOWED=1

This feature will work in 11.x.
But I am not sure, whether this works in 10.20.

Srini.

Re: How to restrict concurrent user login?

Ian Kidd_1 — Thu, 16 Jan 2003 00:31:28 GMT

As far as I know, there is no "built-in" functionality to limit the number of sessions for a user.

I'd edit /etc/profile and throw something like:

LOGIN_NUMBER=`who | grep $LOGNAME | wc -l`
if [ $LOGIN_NUMBER -gt 1 ]
then
echo "You already have an open session.
If this is not the case, please notify the Sys Admin."
sleep 7
exit
fi

I tested this on a 10.20, and my shell is /usr/bin/ksh.

For testing this suggestion as well as any others that people may give, I would make sure to be logged into the server as root from a session. Messing with login restrictions can be dangerious so you want make sure you already have an established connection before doing so!

Re: How to restrict concurrent user login?

Michael Tully — Thu, 16 Jan 2003 00:31:56 GMT

Have a look at this posting, it has a number of options.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x431472106351d5118fef0090279cd0f9,00.html

Re: How to restrict concurrent user login?

Jose Mosquera — Thu, 16 Jan 2003 00:33:43 GMT

Hi,

On 10.20 is a hard task, on 11.0 you onlys need define in /etc/default/security file:
NUMBER_OF_LOGINS_ALLOWED=3 (must be in caps)
This apply for no-root users (su excluded)

And certify that PHCO_27721 patch is installed.

Other ways could be include in /etc/profile file followings lines:

MAX=3
CURRENT=`who|grep $LOGNAME|wc -l`
if [ $CURRENT -gt $MAX ]
then
exit
fi

Rgds.

Re: How to restrict concurrent user login?

Rajeev Shukla — Thu, 16 Jan 2003 00:34:16 GMT

Even if this file is not there you can create it. But i doubt if that will solve your purpose. To restrict the number of sessions a simple way would be to write a script to check the login sessions of a user and put that script in .profile or /etc/profile. So if the user is already loged in as reported by your script then exit and dont let him login(use exit in profile).

Or there is a module in PAM called as session management that allows this configuration.
Try going through this document which might give you some idea as how to go

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062952847

Cheers
Rajeev

Re: How to restrict concurrent user login?

Harry Yu — Thu, 16 Jan 2003 00:35:12 GMT

Thanks, Srini. I've tried it and it won't work. I created the file "security" with only one line of command. Then, I tried to login more than once, still, I was able to. My server is not Trusted System. SAM prompted me to convert to Trusted System before I can do further security settings, but I'm afraid that our database (MFG/Pro) will stop running and if that happens, I'd be doomed. Can you tell me what's the different between trusted or not trusted system? Thanks alot.

Re: How to restrict concurrent user login?

Sridhar Bhaskarla — Thu, 16 Jan 2003 00:36:34 GMT

Hi,

You can follow Ian's idea. Just put one more check at the beginning of the script to allow you to have multiple sessions.

if [ "$LOGNAME" != "your_login" ]
then
Ian's code
fi

This way you can login with any number of attempts.

The corresponding file for csh would be /etc/csh.login. You need to modify the script a bit to suit to csh.

-Sri

Re: How to restrict concurrent user login?

Ian Kidd_1 — Thu, 16 Jan 2003 00:36:54 GMT

I stand corrected about "no built-in functionality" - thanks Srinivasan!.

I haven't tried that on 10.20.

by the way - Harry,
if you assign points
then please don't assign any to this second entry!
fi

Re: How to restrict concurrent user login?

Ian Kidd_1 — Thu, 16 Jan 2003 00:45:19 GMT

Harry,

A trusted system is HP-UX with additional security enhancements.
The world-readable /etc/passwd file no longer has encrypted passwds in it instead, the encrypted passwords are stored in /tcb, which can only by accessed by root.
you also can enable auditing and additional password security functionality.

the decision to convert to a trusted system should not be taken lightly. On a 10.20, you'd want to make sure that you have the latest patches before even considering to convert. Doing a little digging in the ITRC forums will uncover a lot of horror stories regarding people who converted without enough preparation/backout plans

Re: How to restrict concurrent user login?

Bill Hassell — Thu, 16 Jan 2003 01:05:47 GMT

/etc/default/security is a feature of 11.0 and higher, so creating it in 10.20 does nothing. Just add the test into /etc/profile (assuming that users are doing 'normal' telnet logins and using ksh or POSIX shell.

Note that restricting users to a small number of sessions doesn't help performance since a single session could consume all CPU and memory. Perhaps the users are running Xwindows and starting xterms or dtterms on your system? Consider using a local telnet client rather than xterm/dtterm/hpterm.

Re: How to restrict concurrent user login?

Wilfred Chau_1 — Thu, 16 Jan 2003 01:12:23 GMT

Here is what I did:

#! /usr/bin/sh
checkuproc () {
termtty=$(/usr/bin/who -Rm |/usr/bin/awk '{print $2}')
num_u_proc=$(($(/usr/bin/ps |/usr/bin/grep "$termtty"|/usr/bin/grep $mproc|/usr/bin/wc -l)))
if [ ${num_u_proc} -gt 1 ]; then
print "Error: There is already a session running."
session=1
fi
}

# main

session=0
checkuproc

if [ $session -ne 0 ]; then
exit
fi

Re: How to restrict concurrent user login?

Wilfred Chau_1 — Thu, 16 Jan 2003 01:14:50 GMT

One more thing, you need to run the script in the user's profile.

Re: How to restrict concurrent user login?

Wilfred Chau_1 — Thu, 16 Jan 2003 01:21:41 GMT

One last thing. remove "/usr/bin/grep $mproc" as well.

Re: How to restrict concurrent user login?

avsrini — Thu, 16 Jan 2003 01:23:42 GMT

Hi Harry,

For the differences check the following link.

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000065676950

I'v cut & pasted some points here

The following information lists the MAJOR differences between trusted
and non-trusted systems:

1. A trusted system allows system auditing to be turned on.
System auditing enables the ability to trace every system call
issued by each user on the system. Non-trusted systems run
with system auditing disabled.

2. Trusted systems have improved password management.

Below is a list of password management features:

a. Specification of a grace period and expiration period for
passwords.

b. The ability to specify system-wide password aging.

c. The ability to specify an absolute account life.

d. The ability to disable accounts after repeated login
failures.

e. Passwords lengths of up to forty (40) characters.

f. The ability to access a random password generator.

3. Trusted systems have additional login restrictions, while
non-trusted systems do not. Below are the features of
trusted system login restrictions:

a. In addition to account disabling, the account may also be
locked.

b. Setting accounts to be accessed only at certain times of
the day.

c. The ability to specify account location access. In other
words, account access at specific devices, workstations,
and so on.

d. The ability to specify a single-user boot password.

Note: These login restrictions are NOT available on
NON-TRUSTED systems.

4. A trusted system has shadowed passwords, while a non-trusted
system does not have shadowed passwords. Shadowed passwords
are kept in locations other than /etc/passwd. This prevents
users from viewing the /etc/passwd file and determining which
accounts do not have passwords. This also prevents hackers from
running "password cracker programs" against passwords in the
/etc/passwd file.

For more information, please refer to the following document:

"Administering Your HP-UX Trusted System"

Srini
SYD-IT.

Re: How to restrict concurrent user login?

David_246 — Thu, 16 Jan 2003 10:44:53 GMT

Hi Harry,

Don't you think they helped you out a lot ?
You'dd better give them some points for their answers. They will be helping you twice as fast next time :)

Regs David

Re: How to restrict concurrent user login?

Harry Yu — Thu, 16 Jan 2003 17:23:21 GMT

Thanks, Ian. The script you gave me works!!! Wohooo!
Also, thanks to everybody here. Your responds are so fast and I really appreciated!

Re: How to restrict concurrent user login?

Harry Yu — Thu, 16 Jan 2003 17:32:55 GMT

Now I've get the script to work under /home/"username"/.profile. The next question is how can I apply this script to every user's .profile without have to menully type it in? We're talking about 40 users here. Not a very fun task. Thanks again, everyone.

Best regards,

Harry
- newbie to UNIX

Re: How to restrict concurrent user login?

Wilfred Chau_1 — Fri, 17 Jan 2003 00:15:34 GMT

You can put it to /etc/profile for all users.

Re: How to restrict concurrent user login?

Ian Kidd_1 — Fri, 17 Jan 2003 00:40:15 GMT

Wilfred Chau's suggestion would be the best way - put the script I gave you into /etc/profile. When I tested this script, that's where I put it and it worked fine. You could probably create a script to put it in everyone's .profile, but I think that's too much work for not enough benefit.

Sorry about the delay in responding - when I saw the "magic rabbit" by your thread, I made the assumption that the thread was complete.