LinuxQuestions.org - Force login prompt (again) to a logged-in user via SSH

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Force login prompt (again) to a logged-in user via SSH (https://www.linuxquestions.org/questions/linux-software-2/force-login-prompt-again-to-a-logged-in-user-via-ssh-4175584539/)

Force login prompt (again) to a logged-in user via SSH

Hello,
Is there a way (inside a shell script) to force the current user to switch account (or re-login) without prompting super user password ? The user shouldn't be able to cancel it.

What I'm looking for is a way to invoke the login prompt, like when using the login command, but login require root privilege (ex. sudo login) to run, and the user can cancel it.

The big picture is as follow; The server is accessible via SSH and have a few local users. Users from Active Directory (AD) can access the server. We want to prevent direct access to the local users. If you want to use a local user, you have to log in as an AD user and then use su to switch user so we can track which AD user used which local user for auditing. So the moment someone log in directly using a local user, we need to prevent him, show a warning and prompt login again, using the /etc/profile file.

Any thoughts ? Thank you.

Quote:

Originally Posted by WinkoBit (Post 5575354)

Umm... not sure I understand the whole picture, but here's a way to stop if a user is NOT root.

Code:

#!/bin/bash



# Check if user is root

if (( $EUID != 0 )); then

    echo "No, you are not root. Please retry." 1>&2

    exit 1

fi



echo "Hello root user!"



exit 0

You can use the same principle to stop a user with another UID of course.

Best regards,
HMW

Hello,
What I need is a way to forcibly prompt current user to login again

Quote:

Originally Posted by WinkoBit (Post 5575767)

Hello,
What I need is a way to forcibly prompt current user to login again

Ok, well something like this perhaps.

Code:

#!/bin/bash



# Check if correct user

while (( $EUID != 1002 )); do

    echo "No, Wrong user. Please retry." 1>&2

    su correctUser

    if (( $? == 0 )); then

        break

    fi  

done



echo "Goodbye!"



exit 0

But... this seems a lot like "hacking ssh" instead of setting things up in a better way from the beginning.

Best regards,
HMW

That's almost it, but is there a way to make the user logout then asking him to login without interrupting the SSH session ?

Just deny ssh access to those users.
See 'man sshd_config'.

It seems to me that PAM might be usable here ... although you might need to write your own custom PAM rule-handler.

The customization would not take place within ssh(d) and would, I think, have nothing at all to do with that layer of software. This is, fundamentally, a "system authentication/authorization requirement." Hence, PAM.

Quote:

Originally Posted by WinkoBit (Post 5575767)

Hello,
What I need is a way to forcibly prompt current user to login again

Are you sure?

Quote:

Originally Posted by WinkoBit (Post 5575354)

force the current user to switch account (or re-login) without prompting

Prompt or no prompt?
I don't know PAM so, <no comment>

Stop wasting time.
http://xyproblem.info/
http://catb.org/~esr/faqs/smart-questions.html

PAM refers to Pluggable Authentication Modules, which is a central kernel mechanism by which almost every authentication task is performed.

(I say this "for general information," directed to the Peanut Gallery not specifically to any of you ...)