HPE Community
Operating System - HP-UX
1829182 Members
2347 Online
109986 Solutions
New Discussion

Re: Letting only one instance of a user logging in to a machine

 
SOLVED
Go to solution
Vincent Farrugia
Honored Contributor

‎12-03-2003 06:58 PM

‎12-03-2003 06:58 PM

Letting only one instance of a user logging in to a machine

Hello,

In HPUX, can you restrict a user to login only once? For example, the user "foo" can only login once in a certain machine. I.e., whenever you issue the who command, foo can only appear once, not more.

Thanks,
Vince
Tape Drives RULE!!!
0 Kudos
Reply
14 REPLIES 14
Elmar P. Kolkman
Honored Contributor

‎12-03-2003 07:12 PM

‎12-03-2003 07:12 PM

Solution

Re: Letting only one instance of a user logging in to a machine

You could do it by using a special login-shell that does this, or if you trust the user a bit more, it can be done from the .profile or /etc/profile: kick the user if there are 2 (or more) entries in who with the following:

if [ $(who | grep "^`whoami` ") -gt 1 ]
then
echo "Sorry, but you're already logged in"
exit
fi

Mind the space between the back-quote and the double quote... It ensures that small differences between usernames are not mistreated. For instance test3 shouldn't be kicked if only test is logged in. The same for the leading carrot.

To do it using a login shell is trickier, since it should be a binary file.
Every problem has at least one solution. Only some solutions are harder to find.
Reply
Mark Grant
Honored Contributor

‎12-03-2003 07:14 PM

‎12-03-2003 07:14 PM

Re: Letting only one instance of a user logging in to a machine

I don't think there is a specific utility but it is quite easy to achieve yourself.

In the .profile just count login shells for the user "-ksh" using "ps" or directly read utmp or use "last" and just exit if there are more than you want.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Vincent Farrugia
Honored Contributor

‎12-03-2003 07:27 PM

‎12-03-2003 07:27 PM

Re: Letting only one instance of a user logging in to a machine

Elmar,

I cannot get your script to work. In scripting I am rubbish. Didn't understand regarding spaces and stuff.

Can you please rephrase? :-)

Thanks,
Vince
Tape Drives RULE!!!
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎12-03-2003 07:47 PM

‎12-03-2003 07:47 PM

Re: Letting only one instance of a user logging in to a machine

What I mean is that the argument for grep needs some extra characters, apart from the output from whoami.

It should be: grep whoami

(^) at the beginning of a string meand the start of the line

Are there any errors or things like that you get from my 'script' (which is only a part of a script and needs to be added to a .profile or /etc/profile to work) that could help solve the problem?
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Vincent Farrugia
Honored Contributor

‎12-03-2003 07:49 PM

‎12-03-2003 07:49 PM

Re: Letting only one instance of a user logging in to a machine

Hello,

I got to work by adding wc -l like this:

if [ $(who | grep foo | wc -l) -gt 1 ]
then
echo "bla bla"
fi

Thanks, case closed.

Vince
Tape Drives RULE!!!
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎12-03-2003 07:54 PM

‎12-03-2003 07:54 PM

Re: Letting only one instance of a user logging in to a machine

You are right. Problem with copying scripts by hand from an X-terminal to MS desktop... Totally missed the wc -l

Glad it works.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Mark Grant
Honored Contributor

‎12-03-2003 07:56 PM

‎12-03-2003 07:56 PM

Re: Letting only one instance of a user logging in to a machine

I think you might need a count in there such as "wc -l" at the end of the "whoami" bit.

Also, note that this won't stop people logging in as someone else and doing an su but you can't have everything :)

Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Vincent Farrugia
Honored Contributor

‎12-03-2003 08:00 PM

‎12-03-2003 08:00 PM

Re: Letting only one instance of a user logging in to a machine

Thanks, actually I'm surprised I managed to get to the wc -l myself. I didn't do scripting since more than a year. Good to surprise yourself every once in a while hehe.

Case closed
Tape Drives RULE!!!
0 Kudos
Reply
Darren Prior
Honored Contributor

‎12-03-2003 09:01 PM

‎12-03-2003 09:01 PM

Re: Letting only one instance of a user logging in to a machine

Hi Vince,

I know you've marked this question as closed, but I thought you might be interested to know that HP-UX does have that functionality without having to add extra scripts.

The NUMBER_OF_LOGINS_ALLOWED parameter in /etc/default/security defines the number of logins for non-root users. It's available at 11.00 (providing you have PHCO_27004 - login patch [which also requires PHCO_25976]), and at 11i. The security(4) man page is available on 11i systems, or at http://docs.hp.com

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
RolandH
Honored Contributor

‎12-04-2003 12:13 AM

‎12-04-2003 12:13 AM

Re: Letting only one instance of a user logging in to a machine

@ Darren,

must the system be a trusted system that this will work or does this work with a normal system, too??

THX
Roland
Sometimes you lose and sometimes the others win
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎12-04-2003 12:20 AM

‎12-04-2003 12:20 AM

Re: Letting only one instance of a user logging in to a machine

Roland,

No, it doesn't have to be trusted. Do a man on security. The man page may not be up to date with all the latest features, but it will get you started.


Pete

Pete
0 Kudos
Reply
RAC_1
Honored Contributor

‎12-04-2003 12:21 AM

‎12-04-2003 12:21 AM

Re: Letting only one instance of a user logging in to a machine

Roland,

It will work irrespective of that.
There is no substitute to HARDWORK
0 Kudos
Reply
RolandH
Honored Contributor

‎12-04-2003 12:25 AM

‎12-04-2003 12:25 AM

Re: Letting only one instance of a user logging in to a machine

THX Guys !!! =|;-]
Sometimes you lose and sometimes the others win
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎12-04-2003 03:56 AM

‎12-04-2003 03:56 AM

Re: Letting only one instance of a user logging in to a machine

my company uses this method for identifying additional logins to warn but not to deny...

you can modify this to kill hte new login... by grepping for the process for the telnet session.

MY_TTY=`tty | cut -f3- -d'/'`
USERS=`finger -fim ${LOGNAME} | grep -v "${MY_TTY}"`
case "${USERS}" in
${LOGNAME}*"Not Logged In"|"") ;;
*) TIME=`date '+%T'`
for TTY in `cut -c12-19 << EOF
${USERS}
EOF
`
do
test -w /dev/${TTY} && echo "SECURITY WARNING!!^G^G Another user
is
logging on to ${LOGNAME} at ${TIME}" > /dev/${TTY}
done
echo "*********************************************************"
echo "* SECURITY WARNING!!^G^G ${LOGNAME} already logged on! IDLE *"
sed -e 's/^/* /' -e 's/$/ */' << EOF
${USERS}
EOF
echo "*********************************************************"
esac
Unix, the other white meat.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.