Force login prompt (again) to a logged-in user via SSH
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Force login prompt (again) to a logged-in user via SSH
Hello,
Is there a way (inside a shell script) to force the current user to switch account (or re-login) without prompting super user password ? The user shouldn't be able to cancel it.
What I'm looking for is a way to invoke the login prompt, like when using the login command, but login require root privilege (ex. sudo login) to run, and the user can cancel it.
The big picture is as follow; The server is accessible via SSH and have a few local users. Users from Active Directory (AD) can access the server. We want to prevent direct access to the local users. If you want to use a local user, you have to log in as an AD user and then use su to switch user so we can track which AD user used which local user for auditing. So the moment someone log in directly using a local user, we need to prevent him, show a warning and prompt login again, using the /etc/profile file.
Hello,
Is there a way (inside a shell script) to force the current user to switch account (or re-login) without prompting super user password ? The user shouldn't be able to cancel it.
What I'm looking for is a way to invoke the login prompt, like when using the login command, but login require root privilege (ex. sudo login) to run, and the user can cancel it.
The big picture is as follow; The server is accessible via SSH and have a few local users. Users from Active Directory (AD) can access the server. We want to prevent direct access to the local users. If you want to use a local user, you have to log in as an AD user and then use su to switch user so we can track which AD user used which local user for auditing. So the moment someone log in directly using a local user, we need to prevent him, show a warning and prompt login again, using the /etc/profile file.
Any thoughts ? Thank you.
Umm... not sure I understand the whole picture, but here's a way to stop if a user is NOT root.
Code:
#!/bin/bash
# Check if user is root
if (( $EUID != 0 )); then
echo "No, you are not root. Please retry." 1>&2
exit 1
fi
echo "Hello root user!"
exit 0
You can use the same principle to stop a user with another UID of course.
Hello,
What I need is a way to forcibly prompt current user to login again
Ok, well something like this perhaps.
Code:
#!/bin/bash
# Check if correct user
while (( $EUID != 1002 )); do
echo "No, Wrong user. Please retry." 1>&2
su correctUser
if (( $? == 0 )); then
break
fi
done
echo "Goodbye!"
exit 0
But... this seems a lot like "hacking ssh" instead of setting things up in a better way from the beginning.
It seems to me that PAM might be usable here ... although you might need to write your own custom PAM rule-handler.
The customization would not take place within ssh(d) and would, I think, have nothing at all to do with that layer of software. This is, fundamentally, a "system authentication/authorization requirement." Hence, PAM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
