Very Computer

by **Christian Patters** » Sun, 19 May 2002 02:27:14

Thank you for the help.

I have a customer who needs to limit some of their FTP/SCP users to
one login, this is not concurrent logins. I've been looking for a PAM
module to do this, and can't seem to find one yet.

Account expiration times are no good as they are servicing a global
user base. One time passwords are also no good.

I am looking for something that might be able to do this on a group
level.

I don't expect I'll find what I'm looking for, and imagine that only
one simultaneous used ID login with a periodic cron job to clean up
ID's, will be the answer.

I appreciate any and all thought or comments.

Thank you

by **Neal Murph** » Sun, 19 May 2002 07:41:49

> Thank you for the help.

> I have a customer who needs to limit some of their FTP/SCP users to
> one login, this is not concurrent logins. I've been looking for a PAM
> module to do this, and can't seem to find one yet.

> Account expiration times are no good as they are servicing a global
> user base. One time passwords are also no good.

> I am looking for something that might be able to do this on a group
> level.

> I don't expect I'll find what I'm looking for, and imagine that only
> one simultaneous used ID login with a periodic cron job to clean up
> ID's, will be the answer.

Modify the daemon sources so that they remove the users' entries in
passwd and shadow just before exiting. This might involve forking
and waiting for the child to exit before proceeding with the removal.
I think the daemons do a setuid(2) once the username/password have
been verified, so a fork might be needed to ensure that some part of
the process tree is still root in order to effect the removal.

Fest3er

by **Dave Bro** » Sun, 19 May 2002 12:17:13

> I have a customer who needs to limit some of their FTP/SCP users to
> one login, this is not concurrent logins. I've been looking for a PAM
> module to do this, and can't seem to find one yet.

> Account expiration times are no good as they are servicing a global
> user base. One time passwords are also no good.
> ...

Perhaps you could write the ftpd information to a file (via syslogd)
which is monitored by another process (like a tail -f), scanning for
that user id; when it's received, lock the account in /etc/shadow.
Might want to also keep a log, and maybe set an at job to delete the
user account. Seems like a shell script or perl script could do
what you need.

--
Dave Brown Austin, TX

by **D. Stuss** » Mon, 20 May 2002 09:44:21

>> Thank you for the help.

>> I have a customer who needs to limit some of their FTP/SCP users to
>> one login, this is not concurrent logins. I've been looking for a PAM
>> module to do this, and can't seem to find one yet.

>> Account expiration times are no good as they are servicing a global
>> user base. One time passwords are also no good.

>> I am looking for something that might be able to do this on a group
>> level.

>> I don't expect I'll find what I'm looking for, and imagine that only
>> one simultaneous used ID login with a periodic cron job to clean up
>> ID's, will be the answer.

>Modify the daemon sources so that they remove the users' entries in
>passwd and shadow just before exiting. This might involve forking
>and waiting for the child to exit before proceeding with the removal.
>I think the daemons do a setuid(2) once the username/password have
>been verified, so a fork might be needed to ensure that some part of
>the process tree is still root in order to effect the removal.

Technically, only the shadow file need have the entry removed. Killing the
password is sufficient.

Removal from /etc/passwd, plus the home directory, etc., can be done later.

Very Computer

Limit user login to only one time ever

Limit user login to only one time ever

Limit user login to only one time ever

Limit user login to only one time ever

Limit user login to only one time ever