# Single user login (session) on sshd.



## ustuntas (Sep 4, 2009)

Hello all,

How can i do on freebsd or openssh that user can login only once
at the same time? If user can login the system, the other person
who knows the username and password can`t login (at the same time) when the user session active.

One user may login one time, may be in FreeBSD/login.conf or
sshd_config.

Any idea please,

Regards,

ustuntas


----------



## SirDice (Sep 4, 2009)

Use public/private keys with passwords. That way that 'other' user must also have the private key before s/he can login.


----------



## ustuntas (Sep 4, 2009)

Yes,

That is the one way, but users are not familiar with this. They
are use the ssh login with differen locations and there is no
any computer their own.

I googled and find some issues that pam_limits.so with ssh but,
there is no pam_limits pam module in FreeBSD.

Any Idea,


----------



## SirDice (Sep 4, 2009)

Are these employees? If so do you have a security policy?

If not make one. Have it state that username/passwords are STRICLY PERSONAL. Under no circumstances are you allowed to share your passwords with anyone. Make everyone sign it. Add it to the standard contract for new employees.

I'll guarantee you password sharing will stop once you've fired a couple of people for breaching the contract.


----------



## ustuntas (Sep 4, 2009)

They are not employees. You are right. 

But, we want to make that is a security project. 

Regards,

ustuntas


----------



## ustuntas (Sep 4, 2009)

Hello again,

I searched the pam_limits and it is just i want. How can i
configure this pam module on FreeBSD. Is there any way?

Regards,

ustuntas


----------



## pbd (Sep 4, 2009)

It's far away from ideal solution, but I would write a simple wrapper around user's shell to limit access to just one. Something like:


```
#!/bin/sh

if who | awk '{ print $1 }' | fgrep -q `whoami`
then
  exit 1
else
  /bin/tcsh
fi
```

an force this command in [font="Courier New"]/etc/ssh/sshd_config[/font]:


```
Match User someuser
    ForceCommand /usr/local/bin/wrapper
```


----------



## ustuntas (Sep 4, 2009)

Ok, 

I just try and go back again.

Regards.


----------



## ustuntas (Sep 4, 2009)

Hello again,

This solution didn`t run for me. I have done the following
steps


```
# vi /etc/sshd/sshd_config
 >> Match User remoteuser
    ForceCommand /bin/sshd_wrapper
then,
# vi /bin/sshd_wrapper
 >>
 #!/bin/sh
 if who | awk '{ print $1 }' | fgrep -q `whoami`
 then
   exit 1
 else
   /bin/tcsh
 fi
# chmod +x /bin/sshd_wrapper
# /etc/rc.d/sshd restart
```

Then, user can login twice at the same time 

Regards,

ustuntas


----------



## DutchDaemon (Sep 4, 2009)

```
#!/bin/sh
 if who | awk '{ print $1 }' | fgrep -q `whoami`
```

This will always match  The user logging in is executing this wrapper in /bin/sh -- so he's already logged in according to who. 

Wrapper run with -xv:

```
Password:
#!/bin/sh -xv
 if who | awk '{ print $1 }' | fgrep `whoami`
 then
   exit 1
 else
   /bin/tcsh
 fi
+ who
+ awk '{ print $1 }'
+ whoami
+ fgrep testuser
testuser
+ exit 1
```

So logging in is not allowed at all. You'll have to use a counter here ..


----------



## ustuntas (Sep 4, 2009)

I changed the sshd_wrapper as you say, but my problem is still same. ?

Please, what is my wrong point?

Regards,

ustuntas


----------



## DutchDaemon (Sep 4, 2009)

I don't know what you changed. Put 
	
	



```
#!/bin/sh -xv
```
 at the top of the wrapper script, and log into the server from another location (using command-line ssh) and watch the output on the screen.


----------



## pbd (Sep 4, 2009)

DutchDaemon said:
			
		

> ```
> #!/bin/sh
> if who | awk '{ print $1 }' | fgrep -q `whoami`
> ```
> ...



Aghhh.... this will do better:


```
#!/bin/sh

if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
 fi
```


----------



## ustuntas (Sep 4, 2009)

Yes, i have added -xv at the top of script like


```
#!/bin/sh -xv

if who | awk '{ print $1 }' | fgrep `whoami`
then
  exit 1
else
  /bin/tcsh
fi
```

Then, my user can loggin twice at the same time.


----------



## pbd (Sep 4, 2009)

ustuntas said:
			
		

> Yes, i have added -xv at the top of script like
> 
> 
> ```
> ...



Try script in post #13 and be sure to restart sshd (if you didn't after changing sshd_config).


----------



## ustuntas (Sep 4, 2009)

Hello again,

I have changed the my /bin/sshd_wrapper as follows

```
#!/bin/sh -xv

if remoteuser `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
```

And restarting the sshd. But the user can loggin more 
than one at the same time. When i run the wrapper on 
the shell after two same user loggin,


```
#!/bin/sh -xv

if remoteuser `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
+ who
+ awk { print $1 }
+ whoami
+ wc -l
+ fgrep remoteuser
+ remoteuser 2 -gt 1
remoteuser: not found
+ /bin/tcsh
```

Problem is still same! 

ustuntas


----------



## pbd (Sep 4, 2009)

ustuntas said:
			
		

> Hello again,
> 
> I have changed the my /bin/sshd_wrapper as follows
> 
> ...



The "[font="Courier New"]test[/font]" word in script is not a user name but command test. So the line should be:


```
if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
```


----------



## ustuntas (Sep 4, 2009)

Ok. So sorry my mistake. I changed the /bin/sshd_wrapper as you say

```
#!/bin/sh -xv

if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
```
and restarted sshd again. But problem still same. When running the script on the shell as follows. Scrip running correctly i
thing but user couldnt exit the shell.

```
#!/bin/sh -xv

if test `who | awk '{ print $1 }' | fgrep \`whoami\` | wc -l` -gt 1
 then
   exit 1
 else
   /bin/tcsh
fi
+ who
+ awk { print $1 }
+ whoami
+ wc -l
+ fgrep remoteuser
+ test 3 -gt 1
+ exit 1
```


----------



## DutchDaemon (Sep 4, 2009)

What do you mean by 'couldn't exit the shell'?

This shows that this particular login would have failed:


```
+ exit 1
```


----------



## ustuntas (Sep 7, 2009)

Back Again.

I mean that the second user can still access the shell at the same time - first user still in the shell. 
But, i dont want to loggin the second user ( the user do not access the shell)

The script may run correctly but secont user can access the
shell  

What am i wrong?

ustuntas


----------



## ustuntas (Sep 7, 2009)

*[solved]*

Hello all,

There is a big mistake for me. I solve the problem. I mixed up my
config files so wrapper wasn`t run. But, i changed the config files
and wrapper was running correctly.

I want to thank all guys for answering..

Regards,

ustuntas


----------

