Temporarily restrict logins for a user to a single IP
Background
I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).
Problem
On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".
Question
Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT
) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar
with username root
. Bob logs in first, and his IP address is 192.168.1.100
. Bob wants exclusive access to darkstar
for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh
), and for those 10 minutes:
- Bob can create additional interactive/non-interactive SSH instances (i.e. login via
ssh
,scp
,sftp
, etc.), so long as it's from the same source IP address of192.168.1.100
(or whatever is stored inSSH_CLIENT
). - Alice, who is attempting to login from IP
10.10.0.200
is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.
Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100
.
Work So Far
I've tried playing with touch
'ing /etc/nologin
, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).
There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd
instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh
sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.
Thank you.
linux ssh users login sshd
add a comment |
Background
I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).
Problem
On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".
Question
Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT
) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar
with username root
. Bob logs in first, and his IP address is 192.168.1.100
. Bob wants exclusive access to darkstar
for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh
), and for those 10 minutes:
- Bob can create additional interactive/non-interactive SSH instances (i.e. login via
ssh
,scp
,sftp
, etc.), so long as it's from the same source IP address of192.168.1.100
(or whatever is stored inSSH_CLIENT
). - Alice, who is attempting to login from IP
10.10.0.200
is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.
Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100
.
Work So Far
I've tried playing with touch
'ing /etc/nologin
, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).
There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd
instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh
sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.
Thank you.
linux ssh users login sshd
TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh
etc) out of the box. You can also do this via SSH'ssshd_config
file creating matching sets that allow specific IPs + username combinations in. This method requires restarts tosshd
.
– slm♦
Aug 24 '18 at 1:43
add a comment |
Background
I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).
Problem
On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".
Question
Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT
) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar
with username root
. Bob logs in first, and his IP address is 192.168.1.100
. Bob wants exclusive access to darkstar
for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh
), and for those 10 minutes:
- Bob can create additional interactive/non-interactive SSH instances (i.e. login via
ssh
,scp
,sftp
, etc.), so long as it's from the same source IP address of192.168.1.100
(or whatever is stored inSSH_CLIENT
). - Alice, who is attempting to login from IP
10.10.0.200
is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.
Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100
.
Work So Far
I've tried playing with touch
'ing /etc/nologin
, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).
There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd
instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh
sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.
Thank you.
linux ssh users login sshd
Background
I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).
Problem
On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".
Question
Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT
) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar
with username root
. Bob logs in first, and his IP address is 192.168.1.100
. Bob wants exclusive access to darkstar
for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh
), and for those 10 minutes:
- Bob can create additional interactive/non-interactive SSH instances (i.e. login via
ssh
,scp
,sftp
, etc.), so long as it's from the same source IP address of192.168.1.100
(or whatever is stored inSSH_CLIENT
). - Alice, who is attempting to login from IP
10.10.0.200
is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.
Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100
.
Work So Far
I've tried playing with touch
'ing /etc/nologin
, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).
There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd
instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh
sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.
Thank you.
linux ssh users login sshd
linux ssh users login sshd
edited Aug 24 '18 at 1:37
Jeff Schaller
40.1k1054126
40.1k1054126
asked Aug 24 '18 at 1:30
DevNullDevNull
18018
18018
TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh
etc) out of the box. You can also do this via SSH'ssshd_config
file creating matching sets that allow specific IPs + username combinations in. This method requires restarts tosshd
.
– slm♦
Aug 24 '18 at 1:43
add a comment |
TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh
etc) out of the box. You can also do this via SSH'ssshd_config
file creating matching sets that allow specific IPs + username combinations in. This method requires restarts tosshd
.
– slm♦
Aug 24 '18 at 1:43
TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (
ssh
etc) out of the box. You can also do this via SSH's sshd_config
file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd
.– slm♦
Aug 24 '18 at 1:43
TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (
ssh
etc) out of the box. You can also do this via SSH's sshd_config
file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd
.– slm♦
Aug 24 '18 at 1:43
add a comment |
1 Answer
1
active
oldest
votes
Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):
Allow Bob's IP (192.168.1.100) to SSH to the default port (22)
$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT
And block Alice's SSH access
$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP
To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:
$sudo iptables -L --line-numbers | grep 10.1.0.200
num target prot opt source destination
1 DROP tcp -- 10.1.0.200 anywhere tcp dpt:ssh /* Do not allow Alice to SSH in */
$ sudo iptables -D INPUT 1
or, to do the same with a single command:
$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}
And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.
I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464538%2ftemporarily-restrict-logins-for-a-user-to-a-single-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):
Allow Bob's IP (192.168.1.100) to SSH to the default port (22)
$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT
And block Alice's SSH access
$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP
To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:
$sudo iptables -L --line-numbers | grep 10.1.0.200
num target prot opt source destination
1 DROP tcp -- 10.1.0.200 anywhere tcp dpt:ssh /* Do not allow Alice to SSH in */
$ sudo iptables -D INPUT 1
or, to do the same with a single command:
$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}
And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.
I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.
add a comment |
Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):
Allow Bob's IP (192.168.1.100) to SSH to the default port (22)
$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT
And block Alice's SSH access
$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP
To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:
$sudo iptables -L --line-numbers | grep 10.1.0.200
num target prot opt source destination
1 DROP tcp -- 10.1.0.200 anywhere tcp dpt:ssh /* Do not allow Alice to SSH in */
$ sudo iptables -D INPUT 1
or, to do the same with a single command:
$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}
And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.
I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.
add a comment |
Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):
Allow Bob's IP (192.168.1.100) to SSH to the default port (22)
$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT
And block Alice's SSH access
$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP
To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:
$sudo iptables -L --line-numbers | grep 10.1.0.200
num target prot opt source destination
1 DROP tcp -- 10.1.0.200 anywhere tcp dpt:ssh /* Do not allow Alice to SSH in */
$ sudo iptables -D INPUT 1
or, to do the same with a single command:
$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}
And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.
I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.
Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):
Allow Bob's IP (192.168.1.100) to SSH to the default port (22)
$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT
And block Alice's SSH access
$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP
To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:
$sudo iptables -L --line-numbers | grep 10.1.0.200
num target prot opt source destination
1 DROP tcp -- 10.1.0.200 anywhere tcp dpt:ssh /* Do not allow Alice to SSH in */
$ sudo iptables -D INPUT 1
or, to do the same with a single command:
$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}
And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.
I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.
answered Jan 19 at 0:51
L.RayL.Ray
35118
35118
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464538%2ftemporarily-restrict-logins-for-a-user-to-a-single-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (
ssh
etc) out of the box. You can also do this via SSH'ssshd_config
file creating matching sets that allow specific IPs + username combinations in. This method requires restarts tosshd
.– slm♦
Aug 24 '18 at 1:43