[SOLVED] Signal when there are n users logged in via SSH

Turbocapitalist · 11-10-2019, 11:59 PM

I'm looking for a simple way to signal when there are n or more users logged into a particular system via SSH. In particular I want to trigger actions when the threshold is passed in either direction. It is easy to trigger an action as root via PAM when someone logs in or out but that by itself is full of race conditions and so I am wondering about the logic required to prevent race conditions with a lot of concurrent users and as well as some people logged into the same account multipe times.

Should I just try to keep a single persistent file containing a counter that is incremented and decremented on login and logout? Or is there a better way. A shell script is preferable.

The following environment variables are available to PAM:

DBUS_SESSION_BUS_ADDRESS
LANG
PAM_RHOST
PAM_SERVICE
PAM_TTY
PAM_TYPE
PAM_USER
PWD
SSH_AUTH_INFO_0
XDG_RUNTIME_DIR
XDG_SESSION_CLASS
XDG_SESSION_ID
XDG_SESSION_TYPE

pan64 · 11-11-2019, 01:56 AM

yes, you can count log in/outs, but why do you need that?
you can avoid race conditions if you protect your increment/decrement with a semaphore.

Turbocapitalist · 11-11-2019, 05:22 AM

So something like this? It seems to work but I would welcome feedback, even on style, but especially on how to remove that one bashism.

Code:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin;
DIR="/tmp/foo-test"

test -d "${DIR}" || mkdir -p -m 700 "${DIR}" || exit 1
test -w "${DIR}" || exit 1

umask 027
lock="${DIR}/foo.lock"
exec 20>"${lock}"
flock -x -w 10 20 || exit 1

counter="${DIR}/foo.counter"

if ! test -f "${counter}"; then
        echo 0 > "${counter}"
fi

threshold=101

if [ "$PAM_TYPE" = "open_session" ] ; then
        c=$(cat "${counter}")
        c=$((c+1))
        if [ ${c} -le 0 ]; then
                c=0
        fi

        echo ${c}> "${counter}"
        trigger_script on

elif [ "$PAM_TYPE" = "close_session" ] ; then
        c=$(cat "${counter}")
        c=$((c-1))

        if [ ${c} -le 0 ]; then
                c=0
        fi

        echo ${c}> "${counter}"

        if [ ${c} -le ${threshold} ]; then
                trigger_script off
        fi

fi

exec 20>&-
exit 0

pan64 · 11-11-2019, 07:47 AM

more or less yes, that it is. What bashism do you want to remove?
I think you can set lock on counter, there is no need for another lockfile.

Turbocapitalist · 11-11-2019, 09:17 AM

Thanks. It sounds good to just use one file for both the counter and the lock.

As far as bashisms go, these two seem one type:

Code:

. . .
exec 20>"${lock}"
. . .
exec 20>&-
. . .

Is there a generic POSIX way to do the lock file?

pan64 · 11-11-2019, 11:17 AM

probably lockfile is a bit better.
i would lock only the increment/decrement parts, not the whole script.
and also use:

Code:

c=$(<"${counter}") # without cat

but most probably these are not really relevant changes

scasey · 11-11-2019, 12:05 PM

What about periodic parsing of the output of:

Code:

netstat -tnp | grep <localIP>:22 | sort -k8

or, if you only care about counts, and not who:

Code:

netstat -tn | grep <localIP>:22 | wc -l

no parsing required. If the result is => n, trigger your action. Run as frequently as you want via cron or in a loop with a sleep.

Am I missing something?