Elegant Solutions to kill telnet/ssh session

boshyd · June 17, 2010, 9:05am

We have a generic user account "user1" setup on Solaris 8 that is used by an application. I dont want users to telnet/ssh using this account. Instead if they want to gain access, they must su or sudo to this after logging in with their own ID.

My earlier attempts to accomplish this by disabling telnet/ssh for a particular user have gone nowhere, mostly because I dont understand tcp wrappers.

I am looking for more simpler solutions, maybe a script will do this. A script which looks for this PID and kills it. Before killing the session, I would want a message flashed saying do not login with this account, your telnet session will be removed in 10 seconds or so. Ideally, I want this to happen:

User enters correct "user1" credentials and logs in. System flashes messages saying logout and log back with your own account. Telnet/ssh process is killed.

I got the script to kill the telnet session part as below. However, how do I make message flash for those logging in with this account? Also, how do I ensure this script is always running in background? cron every minute will do the trick or is there any other service (daemon?) which always "listens"? How do I set this up?

PID=`ps -ef |grep ssh |grep user1 | awk '{print $2}'`
for i in $PID; do echo "killing telnet session process with PID = $i"; 
sleep 10;
kill -9 $PID;
done

Any other more elegant solutions you can propose? Thanks for your time.

verdepollo · June 17, 2010, 9:38am

Your script is killing SSH sessions, not telnet sessions.

A simpler solution would be to add the following line to sshd_config and restart the daemon.

DenyUsers user1

And check the sshd_config man page, there is an option called "Banner" - (Banner to be printed before authentication starts)

boshyd · June 17, 2010, 10:40am

How do I search for telnet sessions? Even if I telnet to this system, ps -ef shows ssh pid but no telnet pid.

achenle · June 17, 2010, 11:03am

You don't have to - just edit your shadow file (assuming you're using files for user accounts) to have something like "*NP*" in the password field.

That would prevent telnet access to the account, making the only way to get to the account would be via sudo (or su as root).

I'm not sure offhand if that would be secure enough, though. Maybe someone else could help with that.

boshyd · June 17, 2010, 11:04am

Actually I dont want to disturb password because the another app uses the same account to ftp to this server and changing password would mean changing it in multiple locations...big headache.

achenle · June 17, 2010, 11:07am

Then disable all telnet access and set the DenyUsers SSH property.

And you should probably use scp for the other app anyway. That way you could disable password access to the account.

boshyd · June 17, 2010, 11:41am

I dont want to disable all telnet, just this user.

anon64183241 · June 17, 2010, 12:04pm

While I agree that the "right" way to do this would be by disabling telnet, using scp (with public key auth, likely) instead of ftp, and using DenyUser in the sshd config file, it looks like your situation won't allow that.

As far as why telnet isn't showing up as a separate process, it's likely because it's being run out of xinetd/inetd, instead of being a standalone daemon.

One way, admittedly somewhat complex, would be to write a wrapper that would then be used as this users shell - the wrapper would have to test to see if the session was being started remotely from ssh or telnet, or via sudo, or via ftp, and then do the right thing.

I've seen this done, but it's not necessarily all that easy.