Limit number of login sessions

Hi I'm looking for a way to configure a limit for the maximum number of
simultaneous login sessions for a user. I want to do this for preventing
users to create multiple ssh sessions. I think something similar can be done
trough pf, but that's not the approach I'm looking for.

just curious why the pf solution would not work for you?



On Sun, Sep 21, 2008 at 2:16 AM, Maximo Pech <makzpj@...> wrote:
> Hi I'm looking for a way to configure a limit for the maximum number of
> simultaneous login sessions for a user. I want to do this for preventing
> users to create multiple ssh sessions. I think something similar can be done
> trough pf, but that's not the approach I'm looking for.

On Sunday 21 September 2008 02:16:58 Maximo Pech wrote:
> Hi I'm looking for a way to configure a limit for the maximum number of
> simultaneous login sessions for a user. I want to do this for preventing
> users to create multiple ssh sessions. I think something similar can be
> done trough pf, but that's not the approach I'm looking for.

Hi how about the sessionlimit in login.conf? Haven't ever used it myself but
sounds quite promising.

On Sunday 21 September 2008 02:16:58 Maximo Pech wrote:
> Hi I'm looking for a way to configure a limit for the maximum number of
> simultaneous login sessions for a user. I want to do this for preventing
> users to create multiple ssh sessions. I think something similar can be
> done trough pf, but that's not the approach I'm looking for.

Hi how about the sessionlimit in login.conf? Haven't ever used it myself but
sounds quite promising.
Or just forget that, I was in a FreeBSD console :-/

Well I guess I will have to resolve this by coding something. What do you
think about this:

There will be a daemon that has a list of logged users. When a user logs in
a small program is launched that tell the daemon the user has logged in. The
daemon looks for the user in the list of users, If the user is there it
tells the program launched before to unlogin the user. If the user isn't
there the daemon adds it to the list of users and a thread is created, this
will check every x time if the user is still logged in. if it isn't, it
deletes the user from the logged users lists and terminates.

2008/9/22 Maximo Pech <makzpj@...>

On 24.09-09:48, Maximo Pech wrote:
> Well I guess I will have to resolve this by coding something. What do you
> think about this:
[ ... ]

would you not be better to use ALTQ to limit the bandwidth available
to each user?  then if they share their password their only sharing
their own use?

if not then i'd suggest you create a BSD auth module for processing
the login sessions and add a 'login-max' capability.

On Wed, Sep 24, 2008 at 10:48 AM, Maximo Pech <makzpj@...> wrote:
> 2008/9/22 Maximo Pech <makzpj@...>
>
>> This will be a ssh tunnel, I want to share it with a few friends, but I
>> don't want them sharing it with someone else because if a lot of people
>> start using it my upload bandwidth will suffer. It's very easy for them
>> giving away their user/password to someone else, then those give the
>> password to someone else... suddenly you have 20 ssh connections when you
>> intended to have only 5.

Some friends you have...

ps aux | grep sshd | grep priv | awk '{print $12}' | sort | uniq -c

Tell your friends if their number ever gets bigger than 2, they're no
longer your friends.  A few more minutes of scripting and you'll have
something to run in cron that deletes their account.

> would you not be better to use ALTQ to limit the bandwidth available
> to each user?  then if they share their password their only sharing
> their own use?


Users are not in my local network. They will connect from the internet and
they have dynamic IPs so I guess that wouldn't work because altq can limit
bandwidth based on IP address, not on user names.


>
>
> if not then i'd suggest you create a BSD auth module for processing
> the login sessions and add a 'login-max' capability.
>

What kind of module? a kernel module?

> Some friends you have...
>
> ps aux | grep sshd | grep priv | awk '{print $12}' | sort | uniq -c
>
> Tell your friends if their number ever gets bigger than 2, they're no
> longer your friends.  A few more minutes of scripting and you'll have
> something to run in cron that deletes their account.


That one sounds good.

> Please describe this situation some more.  What does 'sharing a ssh tunnel'
> mean?  Once a ssh tunnel is established, it just tunnels between two
> points,
> nobody needs to login anywhere then to 'use' it.


It means that I use my computer on a home adsl connection as a ssh tunnel
and that I let some friends use it as well but I don't want them to abuse.

What we are doing is connecting to the ssh server with some ssh client, it
creates a socks proxy on our local computers, we configure our programs to
connect to the local proxy and everything is forwarded trough the ssh
tunnel.

I mean, I don't know if there's another way to do it without having to login
in the ssh server.


> This sounds like an obfuscated utmp(5)
>
>
Yeah, utmp sounds useful for this.

Maximo Pech schrieb:
>> would you not be better to use ALTQ to limit the bandwidth available
>> to each user?  then if they share their password their only sharing
>> their own use?
>
>
> Users are not in my local network. They will connect from the internet and
> they have dynamic IPs so I guess that wouldn't work because altq can limit
> bandwidth based on IP address, not on user names.

from pf.conf(5):

user <user>
This rule only applies to packets of sockets owned by the specified
user.  For outgoing connections initiated from the firewall, this is the
user that opened the connection.  For incoming connections to the
firewall itself, this is the user that listens on the destination port.
  For forwarded connections, where the firewall is not a connection
endpoint, the user and group are unknown.

don't know if that could be useful for your purpose, but it sounds a
nice feature. you should be able assign the queues based on the user.

regards,
julian

>
>
>>
>> if not then i'd suggest you create a BSD auth module for processing
>> the login sessions and add a 'login-max' capability.
>>
>
> What kind of module? a kernel module?

Maximo Pech escreveu:
> I mean, I don't know if there's another way to do it without having to login
> in the ssh server.
>  
What about a VPN? You can filter on vpn ip's.

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85