Re: [expert] multiple logons
Submitted 07-Sep-00 by Ron Johnson, Jr.:
Would it be easier, if not foolproof, to enforce single-login
on dumb serial terminals?
Certainly. You restrict all users to using a common shell (we'll use bash,
for this example) and source a watchdog script from the global login
configuration file (/etc/profile). The watchdog script could be similar to
the following one liner:
[ $(who | grep ${USER} | awk '{print $1}' | wc -l | sed -e 's/ //g') != 1 ] exit
Essentially, it immediately logs out any login attempts beyond the first.
A slightly prettier version ( from the user's perspective) would be:
MaxLogs=1
Logins=$(who | grep ${USER} | awk '{print $1}' | wc -l | sed -e 's/ //g')
[ ${Logins} != ${MaxLogs} ] {
echo This is login ${Logins} of ${MaxLogs} permitted.
exit
}
Note that this *will* detect Eterm, gnome-terminal, and rxvt as discrete
users (the terminal is opened as /dev/pts/?). xterm and konsole apparently
do not handle things in a sufficiently similar manner for this to catch them
(no pty).
--
Anton GrahamGPG ID: 0x18F78541
[EMAIL PROTECTED] RSA key available upon request
There are three rules for writing a novel. Unfortunately, no one knows what
they are.
-- Somerset Maugham
Re: [expert] multiple logons
On Thu, 07 Sep 2000, you wrote: Submitted 07-Sep-00 by Ron Johnson, Jr.: Would it be easier, if not foolproof, to enforce single-login on dumb serial terminals? I would say the best way to restrict logins for users is with the PAM authentication scheme. Mandrake is (or can be) installed with PAM by default, and login is a PAM aware application. I don't recall the exact syntax for the cofiguration files but PAM is designed to handle just this sort of problem. You can also configure all sorts of other quotas with PAM such as number of processes a user can spawn, whether or not core files can be created by that user, and all sorts of other things. As far as the central domain controller NT style argument, I would suggest looking at NIS or NIS+, which is just that, a centralized domain controller. The controls are relatively fine grained for access to the NIS domain, the major problem with NIS is security. There is none. If someone can gain access to the NIS network, it is then trivial to 1) discover the NIS domain name and add themselves to it allowing attacks to be mounted or 2) attack the network to insert themselves as the new domain host and reroute all authentication requests to their box. Even though NIS does support the use of the shadow password file, the biggest problem is the fact that an attacker can bind to the NIS domain and then request the password map which NIS will gladly hand over. There are other types of access control as well, AFS has access control built into the system as well as file system sharing. NIS and NFS in combination one of the standard bite the bullet *nix administration solutions. So long as one knows what the risks are and accounts for those in the rest of their security policies, it can be a manageable and working solution. -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead
Re: [expert] multiple logons
"Zaleski, Matthew (M.E.)" wrote: [snip] second login and a forking process is pretty minor in Linux). Why would you care if someone logs in multiple times? If that's a concern, go use [snip] In most situations, u r right: there is no reason to restrict multiple logins. HOWEVER, in the commercial realm, when dozens of clerks are logged into a system, it is often useful (for tracking, auditing or consistency, etc.) to only let a clerk log into a system once. Ron -- +--+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA WWW : [EMAIL PROTECTED] | | | | Most overused words: feel, cool/kewl, fun, myBlah.com| | Most underused word: think | +--+
Re: [expert] multiple logons
On Wed, 6 Sep 2000, Ron Johnson, Jr. wrote: HOWEVER, in the commercial realm, when dozens of clerks are logged into a system, it is often useful (for tracking, auditing or consistency, etc.) to only let a clerk log into a system once. But if I wanted to wreak havoc on the tracking system, I'd just open about 11 bash shells, scores of rxvts, and a few instances of Netscape. That way, I'd have lots of possible input methods on a *single* login. Put simply, I don't think the concept of a single login really exists in Linux Mandrake. Best regards, though. Anyone with more constructive suggestions, feel free to prove me wrong! -- Asheesh Laroia. -- Olmstead's Law: After all is said and done, a hell of a lot more is said than done.
Re: [expert] multiple logons
HOWEVER, in the commercial realm, when dozens of clerks are logged into a system, it is often useful (for tracking, auditing or consistency, etc.) to only let a clerk log into a system once. [...] But if I wanted to wreak havoc on the tracking system, I'd just open about 11 bash shells, scores of rxvts, and a few instances of Netscape. That way, I'd have lots of possible input methods on a *single* login. I think you're confusing a tightly run highly centrally managed environment with the mayhem which can be possible. True, in a "relatively" open office you could create problems. But if you simply put a quick check for the user logname against a match with any line from the who command in the system wide profile you could kick out the login. (Note: this is probably harder than it sounds here. But it's always easy for the guy who doesn't have to make it work.) To keep the situation controlled you can forgo the whole desktop idea and just start xwindows and the data entry application from the ~/.bash_profile. They exit that app and get logged right back out. If you really have a bunch of people moving around to different workstations you probably want to set up xdm so that the desktop box is merely running X and the users is actually logging in to a server rather than the local machine. (A poor man's X terminal if you will.) Of course, if it's a curses based data entry program you need no X at all. Overall, it's certainly "doable", though not really trivial if you need X, to keep people from logging in the central server more than once. It's actually trivial if your data entry program is curses based and you use "dumb terminals" to run the app. But the original poster needs to keep in mind that there isn't a "centrally managed domain" like the NT model. In NT a central server is in control of the login of the local workstation. One could set up a remote authorization server and plow through all of this in LM, but it's a bunch of work. I don't think any Linux distribution (or, for that matter, any commercial Unix distribution) ships with that kind of configuration available out of the box. Michael
Re: [expert] multiple logons
Asheesh Laroia wrote: On Wed, 6 Sep 2000, Ron Johnson, Jr. wrote: HOWEVER, in the commercial realm, when dozens of clerks are logged into a system, it is often useful (for tracking, auditing or consistency, etc.) to only let a clerk log into a system once. But if I wanted to wreak havoc on the tracking system, I'd just open about 11 bash shells, scores of rxvts, and a few instances of Netscape. That way, I'd have lots of possible input methods on a *single* login. Put simply, I don't think the concept of a single login really exists in Linux Mandrake. Best regards, though. Anyone with more constructive suggestions, feel free to prove me wrong! -- Asheesh Laroia. I agree with u; I was simply pointing out a circumstance where single-login is useful... Would it be easier, if not foolproof, to enforce single-login on dumb serial terminals? Ron -- +--+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA WWW : [EMAIL PROTECTED] | | | | Most overused words: feel, cool/kewl, fun, myBlah.com| | Most underused word: think | +--+
