LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-13-2016, 11:58 AM   #1
WinkoBit
LQ Newbie
 
Registered: Jul 2016
Posts: 3

Rep: Reputation: Disabled
Force login prompt (again) to a logged-in user via SSH


Hello,
Is there a way (inside a shell script) to force the current user to switch account (or re-login) without prompting super user password ? The user shouldn't be able to cancel it.

What I'm looking for is a way to invoke the login prompt, like when using the login command, but login require root privilege (ex. sudo login) to run, and the user can cancel it.

The big picture is as follow; The server is accessible via SSH and have a few local users. Users from Active Directory (AD) can access the server. We want to prevent direct access to the local users. If you want to use a local user, you have to log in as an AD user and then use su to switch user so we can track which AD user used which local user for auditing. So the moment someone log in directly using a local user, we need to prevent him, show a warning and prompt login again, using the /etc/profile file.

Any thoughts ? Thank you.
 
Old 07-13-2016, 03:12 PM   #2
HMW
Member
 
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Blog Entries: 3

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
Quote:
Originally Posted by WinkoBit View Post
Hello,
Is there a way (inside a shell script) to force the current user to switch account (or re-login) without prompting super user password ? The user shouldn't be able to cancel it.

What I'm looking for is a way to invoke the login prompt, like when using the login command, but login require root privilege (ex. sudo login) to run, and the user can cancel it.

The big picture is as follow; The server is accessible via SSH and have a few local users. Users from Active Directory (AD) can access the server. We want to prevent direct access to the local users. If you want to use a local user, you have to log in as an AD user and then use su to switch user so we can track which AD user used which local user for auditing. So the moment someone log in directly using a local user, we need to prevent him, show a warning and prompt login again, using the /etc/profile file.

Any thoughts ? Thank you.
Umm... not sure I understand the whole picture, but here's a way to stop if a user is NOT root.
Code:
#!/bin/bash

# Check if user is root
if (( $EUID != 0 )); then
    echo "No, you are not root. Please retry." 1>&2
    exit 1
fi

echo "Hello root user!"

exit 0
You can use the same principle to stop a user with another UID of course.

Best regards,
HMW
 
1 members found this post helpful.
Old 07-14-2016, 06:35 AM   #3
WinkoBit
LQ Newbie
 
Registered: Jul 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hello,
What I need is a way to forcibly prompt current user to login again
 
Old 07-14-2016, 07:34 AM   #4
HMW
Member
 
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Blog Entries: 3

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
Quote:
Originally Posted by WinkoBit View Post
Hello,
What I need is a way to forcibly prompt current user to login again
Ok, well something like this perhaps.
Code:
#!/bin/bash

# Check if correct user
while (( $EUID != 1002 )); do
    echo "No, Wrong user. Please retry." 1>&2
    su correctUser
    if (( $? == 0 )); then
        break
    fi  
done

echo "Goodbye!"

exit 0
But... this seems a lot like "hacking ssh" instead of setting things up in a better way from the beginning.

Best regards,
HMW
 
Old 07-14-2016, 08:08 AM   #5
WinkoBit
LQ Newbie
 
Registered: Jul 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
That's almost it, but is there a way to make the user logout then asking him to login without interrupting the SSH session ?
 
Old 07-14-2016, 08:56 AM   #6
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,714

Rep: Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553
Just deny ssh access to those users.
See 'man sshd_config'.
 
Old 07-17-2016, 11:25 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179
It seems to me that PAM might be usable here ... although you might need to write your own custom PAM rule-handler.

The customization would not take place within ssh(d) and would, I think, have nothing at all to do with that layer of software. This is, fundamentally, a "system authentication/authorization requirement." Hence, PAM.
 
Old 07-17-2016, 05:45 PM   #8
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by WinkoBit View Post
Hello,
What I need is a way to forcibly prompt current user to login again
Are you sure?
Quote:
Originally Posted by WinkoBit View Post
force the current user to switch account (or re-login) without prompting
Prompt or no prompt?
I don't know PAM so, <no comment>

Stop wasting time.
http://xyproblem.info/
http://catb.org/~esr/faqs/smart-questions.html
 
1 members found this post helpful.
Old 07-17-2016, 10:27 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179
PAM refers to Pluggable Authentication Modules, which is a central kernel mechanism by which almost every authentication task is performed.

(I say this "for general information," directed to the Peanut Gallery not specifically to any of you ...)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Get logged out immediately after login (TTY and SSH) Baldho Linux - Software 5 07-24-2012 09:06 PM
Disable root login, but still be able to sudo -s after logged with another user (ssh) ytd Linux - General 12 04-25-2010 12:34 PM
How to force a user/password prompt to logon? binary66 Puppy 5 09-08-2006 06:50 AM
Brute Force SSH Login Preventer... matsko Linux - Security 5 04-19-2006 10:02 AM
user logged on with ssh not shown with w or who galle Linux - General 4 02-10-2006 11:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration