HPE Community
Operating System - HP-UX
1833792 Members
2233 Online
110063 Solutions
New Discussion

Re: Login Limiter

 
Scott D. Allen
Regular Advisor

‎08-08-2000 11:25 AM

‎08-08-2000 11:25 AM

Login Limiter

Anyone know of any utilities (homegrown or not) to limit the number of logins on a per-user/group basis? (ie. only allow johnc 2 logins at a time while allowing group admins as many as they want)?

--Scott
"Sometimes the devil you know is better than the devil you don't know."
0 Kudos
Reply
10 REPLIES 10
Bill Hassell
Honored Contributor

‎08-08-2000 11:44 AM

‎08-08-2000 11:44 AM

Re: Login Limiter

There is no off the shelf tool but the place to handle this is in /etc/profile (assuming everyone is using the POSIX, ksh or Bourne shell for login). Put the test code at the top and look at a config file in /etc (for instance). The file could be a list of exceptions (user ID's that are allowed unlimited sessions) and a more generalized format where each UID has a login limit number.

It will be a bit of a maintenance issue as each new user will have to be added to this list. And since the user can change their shell without root assistance (chsh), you will have to add this limiting code to profiles that match other shell startup proceses.

An alternative might be to scan ps and look for excessive nunbers of processes for a given user and report the results. While you could arbitrarily kill old processes that exceed a limit, it may create a politically awkward situation.


Bill Hassell, sysadmin
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-08-2000 11:57 AM

‎08-08-2000 11:57 AM

Re: Login Limiter

Did something similar to this. Used common profiles for the users of particular groups.
Depending on the groups membership, would check to see if they have a login on the system. If they do, would not them into the second session.

Being this was based upon the group membership, another group that would not have this restriction was using another profile.

This same logic can be applied to the /etc/profile and the users group membership. There was a group that did not have the multiple login restrictions. If the need came up for a restricted user to have multiple logins, it was just a matter of adding to the other group as well and they could have multiple logins.

Sorry I don't have the syntax.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-08-2000 12:01 PM

‎08-08-2000 12:01 PM

Re: Login Limiter

Found some more info.

The users would source a common profile that we had located elsewhere.
The script would do a grget command to find the group memberships for the user. If the user was in a particular group that was specified in the script, multiple logins would be allowed. If they were not in the group, only one login session. This allowed for relatively easy maintenance because if the user needed multiple logins, just as easy as adding to the specified group.
0 Kudos
Reply
Kenneth Martin
Occasional Advisor

‎08-08-2000 01:57 PM

‎08-08-2000 01:57 PM

Re: Login Limiter

If you were using the Bourne shell you could add the following piece of code to the end of their .profile file. In this case the user is limited to 3 sessions. This way I only have to modify the .profile for special users. Regular users get the example below. Sorry for the long lines. Hope this is some help.

trap exit 1 2 3 15
Me=`who am i | cut -f1 -d' '`
Cnt=`who -uH | cut -f1 -d' ' | grep "${Me}" | wc -l`
echo "Current active sessions for ${Me} = ${Cnt}."; sleep 2
if [ "${Cnt}" -gt 3 ]
then
echo "nnWarning: Too many concurrent login sessions active!07"
echo " Session terminated!07nn"
sleep 5
exit
fi
unset Me Cnt

echo " "
banner "Hi" $LOGNAME ; sleep 3
echo " "
0 Kudos
Reply
Scott D. Allen
Regular Advisor

‎08-08-2000 02:03 PM

‎08-08-2000 02:03 PM

Re: Login Limiter

I want to limit everyone EXCEPT a few special users. So, I'm creating a special group "unlimited" and adding everyone who needs unlimited access to that group. Then, I'm adding the following to /etc/profile to limit everyone else to 2 sessions.

AdminGroup=666
SessionLimit=2
UserID=`id -un`
UserSessions=`who | grep -c ${UserID}`
if [ `grget -g ${AdminGroup} | grep -c ${UserID}` -ne 1 ]
then
if [ ${UserSessions} -ge ${SessionLimit} ]
then
echo " Session limit reached. Further logins not permitted."
exit 1
fi
fi

--Scott
"Sometimes the devil you know is better than the devil you don't know."
0 Kudos
Reply
Kenneth Martin
Occasional Advisor

‎08-08-2000 03:18 PM

‎08-08-2000 03:18 PM

Re: Login Limiter

Yes, I like you idea. It looks cleaner then what I am using. Unfortunately what I wrote was from some time ago and didn't take advantage of the newer commands like "id".
My only comment is if the users are making telnet connections I added a sleep 5 before the exit to give the user a chance to read the message before closing the connection.
0 Kudos
Reply
Scott D. Allen
Regular Advisor

‎08-09-2000 07:39 AM

‎08-09-2000 07:39 AM

Re: Login Limiter

Last point. What about people using Xdisplay's (rexec, etc.) to pull up Xterms?

--Scott
"Sometimes the devil you know is better than the devil you don't know."
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-09-2000 07:44 AM

‎08-09-2000 07:44 AM

Re: Login Limiter

In Exceed, the use of rexec does not go through the profile. Have discussed in detail with HP and Hummingbird to no avail. Their response is to turn off the rexec process.

Other protocols should have no trouble. They come up in the emulator, get the login prompt, go through the profile, and they should be set.
0 Kudos
Reply
Scott D. Allen
Regular Advisor

‎08-09-2000 07:55 AM

‎08-09-2000 07:55 AM

Re: Login Limiter

Does Exceed do telnet or something BESIDES rexec?
This might be trouble.

--Scott
"Sometimes the devil you know is better than the devil you don't know."
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-09-2000 08:05 AM

‎08-09-2000 08:05 AM

Re: Login Limiter

Yes - it does rsh, rlogin, telnet, and a couple of others. I stay with the RLOGIN protocol and everything works fine.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.