Re: Limit number of login sessions
just curious why the pf solution would not work for you? On Sun, Sep 21, 2008 at 2:16 AM, Maximo Pech <[EMAIL PROTECTED]> wrote: > Hi I'm looking for a way to configure a limit for the maximum number of > simultaneous login sessions for a user. I want to do this for preventing > users to create multiple ssh sessions. I think something similar can be done > trough pf, but that's not the approach I'm looking for.
Re: Limit number of login sessions
On Sunday 21 September 2008 02:16:58 Maximo Pech wrote: > Hi I'm looking for a way to configure a limit for the maximum number of > simultaneous login sessions for a user. I want to do this for preventing > users to create multiple ssh sessions. I think something similar can be > done trough pf, but that's not the approach I'm looking for. Hi how about the sessionlimit in login.conf? Haven't ever used it myself but sounds quite promising.
Re: Limit number of login sessions
On Sunday 21 September 2008 02:16:58 Maximo Pech wrote: > Hi I'm looking for a way to configure a limit for the maximum number of > simultaneous login sessions for a user. I want to do this for preventing > users to create multiple ssh sessions. I think something similar can be > done trough pf, but that's not the approach I'm looking for. Hi how about the sessionlimit in login.conf? Haven't ever used it myself but sounds quite promising. Or just forget that, I was in a FreeBSD console :-/
Re: Limit number of login sessions
Well I guess I will have to resolve this by coding something. What do you think about this: There will be a daemon that has a list of logged users. When a user logs in a small program is launched that tell the daemon the user has logged in. The daemon looks for the user in the list of users, If the user is there it tells the program launched before to unlogin the user. If the user isn't there the daemon adds it to the list of users and a thread is created, this will check every x time if the user is still logged in. if it isn't, it deletes the user from the logged users lists and terminates. 2008/9/22 Maximo Pech <[EMAIL PROTECTED]> > This will be a ssh tunnel, I want to share it with a few friends, but I > don't want them sharing it with someone else because if a lot of people > start using it my upload bandwidth will suffer. It's very easy for them > giving away their user/password to someone else, then those give the > password to someone else... suddenly you have 20 ssh connections when you > intended to have only 5. > > 2008/9/22 Jan Stary <[EMAIL PROTECTED]> > > On Sep 20 21:16:58, Maximo Pech wrote: >> > Hi I'm looking for a way to configure a limit for the maximum number of >> > simultaneous login sessions for a user. >> > I want to do this for preventing >> > users to create multiple ssh sessions. >> >> why?
Re: Limit number of login sessions
On Wed, Sep 24, 2008 at 10:48 AM, Maximo Pech <[EMAIL PROTECTED]> wrote:
> 2008/9/22 Maximo Pech <[EMAIL PROTECTED]>
>
>> This will be a ssh tunnel, I want to share it with a few friends, but I
>> don't want them sharing it with someone else because if a lot of people
>> start using it my upload bandwidth will suffer. It's very easy for them
>> giving away their user/password to someone else, then those give the
>> password to someone else... suddenly you have 20 ssh connections when you
>> intended to have only 5.
Some friends you have...
ps aux | grep sshd | grep priv | awk '{print $12}' | sort | uniq -c
Tell your friends if their number ever gets bigger than 2, they're no
longer your friends. A few more minutes of scripting and you'll have
something to run in cron that deletes their account.
Re: Limit number of login sessions
On 24.09-09:48, Maximo Pech wrote: > Well I guess I will have to resolve this by coding something. What do you > think about this: [ ... ] would you not be better to use ALTQ to limit the bandwidth available to each user? then if they share their password their only sharing their own use? if not then i'd suggest you create a BSD auth module for processing the login sessions and add a 'login-max' capability.
Re: Limit number of login sessions
> Some friends you have...
>
> ps aux | grep sshd | grep priv | awk '{print $12}' | sort | uniq -c
>
> Tell your friends if their number ever gets bigger than 2, they're no
> longer your friends. A few more minutes of scripting and you'll have
> something to run in cron that deletes their account.
That one sounds good.
Re: Limit number of login sessions
> would you not be better to use ALTQ to limit the bandwidth available > to each user? then if they share their password their only sharing > their own use? Users are not in my local network. They will connect from the internet and they have dynamic IPs so I guess that wouldn't work because altq can limit bandwidth based on IP address, not on user names. > > > if not then i'd suggest you create a BSD auth module for processing > the login sessions and add a 'login-max' capability. > What kind of module? a kernel module?
Re: Limit number of login sessions
> Please describe this situation some more. What does 'sharing a ssh tunnel' > mean? Once a ssh tunnel is established, it just tunnels between two > points, > nobody needs to login anywhere then to 'use' it. It means that I use my computer on a home adsl connection as a ssh tunnel and that I let some friends use it as well but I don't want them to abuse. What we are doing is connecting to the ssh server with some ssh client, it creates a socks proxy on our local computers, we configure our programs to connect to the local proxy and everything is forwarded trough the ssh tunnel. I mean, I don't know if there's another way to do it without having to login in the ssh server. > This sounds like an obfuscated utmp(5) > > Yeah, utmp sounds useful for this.
Re: Limit number of login sessions
Maximo Pech schrieb: would you not be better to use ALTQ to limit the bandwidth available to each user? then if they share their password their only sharing their own use? Users are not in my local network. They will connect from the internet and they have dynamic IPs so I guess that wouldn't work because altq can limit bandwidth based on IP address, not on user names. from pf.conf(5): user This rule only applies to packets of sockets owned by the specified user. For outgoing connections initiated from the firewall, this is the user that opened the connection. For incoming connections to the firewall itself, this is the user that listens on the destination port. For forwarded connections, where the firewall is not a connection endpoint, the user and group are unknown. don't know if that could be useful for your purpose, but it sounds a nice feature. you should be able assign the queues based on the user. regards, julian if not then i'd suggest you create a BSD auth module for processing the login sessions and add a 'login-max' capability. What kind of module? a kernel module?
Re: Limit number of login sessions
Maximo Pech escreveu: > I mean, I don't know if there's another way to do it without having to login > in the ssh server. > What about a VPN? You can filter on vpn ip's. -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
