Re: how to prevent users logging in more than once?

inventsekar_1 · ‎06-19-2006

i like to know how to prevent users from logging in thru telnet more than once in a hpux(any version) system.
i like to know the same thing for sun solaris.
thanks in advance.

Be Tomorrow, Today.

Enrico P. · ‎06-20-2006

Hi,
in the user .profile you can add a line that start a script like this:

number_conn=who|grep -c username

if [ $number_conn > num_conn_you_want ]; then
exit
fi

The script should not have write permission for user

Enrico

Enrico P. · ‎06-20-2006

Sorry the user can modify him .profile ...

Enrico

rariasn · ‎06-20-2006

Hi sekar,

HPUX:

Modify file /etc/security/defaults

NUMBER_OF_LOGINS_ALLOWED
This parameter controls the number of simultaneous
logins allowed per user. This is applicable only for
non-root users.

NUMBER_OF_LOGINS_ALLOWED=0 Any number of logins are
allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N N number of logins are
allowed per user.

Default value: NUMBER_OF_LOGINS_ALLOWED=0

man security

rgs,

ran

Steven E. Protter · ‎06-20-2006

Shalom

in /etc/profile

LOGINS=$(who | grep $LOGNAME |wc -l)
if [ $LOGINS -ge 1 ]
echo "Multiple logins not permitted. bad little boys and girls.... Shame on you."
exit 1
else
"Logging in a well behaved user"
fi

Don't use my text, I'm trying to be funny.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎06-20-2006

Shalom

in /etc/profile

LOGINS=$(who | grep $LOGNAME |wc -l)
if [ $LOGINS -ge 1 ]
echo "Multiple logins not permitted. bad little boys and girls.... Shame on you."
exit 1
else
echo "Logging in a well behaved user"
fi

Don't use my text, I'm trying to be funny.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

inventsekar_1 · ‎06-20-2006

1.) /etc/profile files permission is -r--r--r--. if i write the scripte in this file, user cannot edit it. ie user only can read that. no write permission to users. right?

2.) is this same for sun solaris also?

Be Tomorrow, Today.

TKeller · ‎06-20-2006

Since I've always been one to make everything as redundant as possible, I'd do the following:

1: put a logon script inside /etc/skel/.profile that does what above scripts do with logon checks. Make sure it's owned by a user like bin and group-owned by bin (or root/bin), and chmod'd 444.

2: for existing users, do something like this:

for i in `cat /etc/passwd | awk -F: '{ if ( $3 >= 100 ) { print $1 } }'`
do
cp /etc/skel/.profile /home/$i/.profile
chmod 444 /home/$i/.profile
done

This way you secure the .profile against typical modifications and everyone's covered with step #2. The only problem would be specific users who have sudo access that allows them to vi, pico, whatever.

It is said you should treat your body like a temple. I treat mine like an amusement park.

Bill Hassell · ‎06-20-2006

The file to control logins is /etc/profile (unless you have some csh users) and no user can change this file except root. The /etc/defaults/security is meaningless for early versions of HP-UX and some options don't work (and do not produce any error messages) if all the security patches are not installed. There is no way to protect .profile because users (normally) have write access to their $HOME directory. So even if you replace all the .profile files every day, users will just remove or rename the file no matter what permissions and ownership you give to .profile (and users will get angry if you blow away their customizations in .profile).

/etc/profile is executed by all POSIX shells including ksh, bash and HP's POSIX shell, and also by the Bourne shell (/usr/old/bin/sh in HP-UX). The man page for each shell gives the details about startup (login).

Bill Hassell, sysadmin

TKeller · ‎06-20-2006

Yeah, it's rather interesting how a 444 file not owned or group-owned by the user or their group can be overwritten. Kinda defeats the purpose of setting an initial /etc/skel/.profile that gets moved in on a user creation.

It is said you should treat your body like a temple. I treat mine like an amusement park.

Bill Hassell · ‎06-20-2006

Actually, it is basic permission rules for all Unix flavors. A file's contents (only) are protected by the file's permission. But the file's existence (mv or rm) have nothing to do with file permissions. The directory permissions control the existence of the files inside. For a complete answer, you can set the 'sticky' bit for a directory so that only the owner of a file or the owner of the directory can remove or rename a file. But the user's HOME directory needs to owned by the user so that option doesn't work. You'll find the sticky bit often set on /tmp and /var/tmp.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: how to prevent users logging in more than once?

how to prevent users logging in more than once?