Temporarily restrict logins for a user to a single IP












4















Background



I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).




Problem



On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".




Question



Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar with username root. Bob logs in first, and his IP address is 192.168.1.100. Bob wants exclusive access to darkstar for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh), and for those 10 minutes:




  • Bob can create additional interactive/non-interactive SSH instances (i.e. login via ssh, scp, sftp, etc.), so long as it's from the same source IP address of 192.168.1.100 (or whatever is stored in SSH_CLIENT).

  • Alice, who is attempting to login from IP 10.10.0.200 is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.


Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100.




Work So Far



I've tried playing with touch'ing /etc/nologin, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).



There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.



Thank you.






linux ssh users login sshd







share|improve this question

























  • TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh etc) out of the box. You can also do this via SSH's sshd_config file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd.

    – slm
    Aug 24 '18 at 1:43


















4















Background



I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).




Problem



On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".




Question



Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar with username root. Bob logs in first, and his IP address is 192.168.1.100. Bob wants exclusive access to darkstar for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh), and for those 10 minutes:




  • Bob can create additional interactive/non-interactive SSH instances (i.e. login via ssh, scp, sftp, etc.), so long as it's from the same source IP address of 192.168.1.100 (or whatever is stored in SSH_CLIENT).

  • Alice, who is attempting to login from IP 10.10.0.200 is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.


Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100.




Work So Far



I've tried playing with touch'ing /etc/nologin, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).



There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.



Thank you.






linux ssh users login sshd







share|improve this question

























  • TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh etc) out of the box. You can also do this via SSH's sshd_config file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd.

    – slm
    Aug 24 '18 at 1:43
















4












4








4








Background



I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).




Problem



On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".




Question



Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar with username root. Bob logs in first, and his IP address is 192.168.1.100. Bob wants exclusive access to darkstar for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh), and for those 10 minutes:




  • Bob can create additional interactive/non-interactive SSH instances (i.e. login via ssh, scp, sftp, etc.), so long as it's from the same source IP address of 192.168.1.100 (or whatever is stored in SSH_CLIENT).

  • Alice, who is attempting to login from IP 10.10.0.200 is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.


Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100.




Work So Far



I've tried playing with touch'ing /etc/nologin, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).



There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.



Thank you.






linux ssh users login sshd







share|improve this question
















Background



I have a bunch of Raspberry PI 3 devices running Linux, which are shared among multiple engineers. For the sake of simplicity, each Linux box has the same default username/password (i.e. everyone logs in as root) to test software we develop. This is a hard requirement (i.e. can't change this).




Problem



On occasion, two users (usually one working in the office, and another remotely via VPN) will log in to the same device at the same time, and the two users can cause issues for each other if both are running software that attempts to gain exclusive access to hardware connected to the box. Additionally, sometimes a user will reboot the system, which really annoys the other developer. While we try to implement schedules for exclusive access, these are often ignored when someone "just needs to get a quick check done".




Question



Is there a way, on-demand (i.e. I don't always want this "feature" enabled), for a user to reserve the use of an account (i.e. root) for interactive/non-interactive SSH logons, so that only the IP address (i.e. SSH_CLIENT) associated with that individual can be used? For example, let's say Bob and Alice both want to login to host darkstar with username root. Bob logs in first, and his IP address is 192.168.1.100. Bob wants exclusive access to darkstar for 10 minutes, so he executes a special command (i.e. bash /opt/mine_for_10_mins.sh), and for those 10 minutes:




  • Bob can create additional interactive/non-interactive SSH instances (i.e. login via ssh, scp, sftp, etc.), so long as it's from the same source IP address of 192.168.1.100 (or whatever is stored in SSH_CLIENT).

  • Alice, who is attempting to login from IP 10.10.0.200 is unable to login until the 10 minute period has elapsed, or Bob logs out. I'd ideally like to have both, and set an upper limit, so Bob can't just reserve a box for 48 hours, leave for the weekend, and leave people unable to login: if Bob logs out early, great; but he can't reserve for more than 10 minutes (or maybe 12 hours) at a time.


Ideally, I'd like to either accomplish this with a timer, or if it's too impractical/difficult, I'd like the "reservation" to end when Bob terminates all his login sessions from 192.168.1.100.




Work So Far



I've tried playing with touch'ing /etc/nologin, but I couldn't find a way to guarantee it would be auto-deleted, and if our engineers are working remotely (flexible work-from-home setup), I don't want everyone locked out of the boxes unless someone comes in to fix the device remotely (though we are looking into a network-enabled KVM to remedy this).



There's also the possibility of running a script that periodically (i.e. every 5 seconds) auto-boots other users from other IPs by slaying off their sshd instances, but I'd like to try and prevent logins entirely, as it's quite common for people to run non-interactive ssh sessions with scripts that can interfere with other users on the same Linux box, and a polling-based approach wouldn't prevent that.



Thank you.






linux ssh users login sshd




linux ssh users login sshd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 24 '18 at 1:37









Jeff Schaller

40.1k1054126




40.1k1054126










asked Aug 24 '18 at 1:30









DevNullDevNull

18018




18018













  • TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh etc) out of the box. You can also do this via SSH's sshd_config file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd.

    – slm
    Aug 24 '18 at 1:43





















  • TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh etc) out of the box. You can also do this via SSH's sshd_config file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd.

    – slm
    Aug 24 '18 at 1:43



















TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh etc) out of the box. You can also do this via SSH's sshd_config file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd.

– slm
Aug 24 '18 at 1:43







TCPWrappers is the traditional method I've used to do exactly this - thegeekdiary.com/… & centos.org/docs/rhel-rg-en-3/s1-tcpwrappers-access.html. Most tools are built with this support (ssh etc) out of the box. You can also do this via SSH's sshd_config file creating matching sets that allow specific IPs + username combinations in. This method requires restarts to sshd.

– slm
Aug 24 '18 at 1:43












1 Answer
1






active

oldest

votes


















1














Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):



Allow Bob's IP (192.168.1.100) to SSH to the default port (22)



$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT


And block Alice's SSH access



$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP


To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:



$sudo iptables -L --line-numbers | grep 10.1.0.200

num  target     prot opt source               destination

1    DROP       tcp  --  10.1.0.200           anywhere             tcp dpt:ssh /* Do not allow Alice to SSH in */



$ sudo iptables -D INPUT 1


or, to do the same with a single command:



$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}


And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.



I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464538%2ftemporarily-restrict-logins-for-a-user-to-a-single-ip%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):



    Allow Bob's IP (192.168.1.100) to SSH to the default port (22)



    $ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT


    And block Alice's SSH access



    $ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP


    To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:



    $sudo iptables -L --line-numbers | grep 10.1.0.200
    
num  target     prot opt source               destination
    
1    DROP       tcp  --  10.1.0.200           anywhere             tcp dpt:ssh /* Do not allow Alice to SSH in */
    

    
$ sudo iptables -D INPUT 1


    or, to do the same with a single command:



    $ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}


    And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.



    I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.






    share|improve this answer




























      1














      Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):



      Allow Bob's IP (192.168.1.100) to SSH to the default port (22)



      $ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT


      And block Alice's SSH access



      $ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP


      To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:



      $sudo iptables -L --line-numbers | grep 10.1.0.200
      
num  target     prot opt source               destination
      
1    DROP       tcp  --  10.1.0.200           anywhere             tcp dpt:ssh /* Do not allow Alice to SSH in */
      

      
$ sudo iptables -D INPUT 1


      or, to do the same with a single command:



      $ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}


      And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.



      I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.






      share|improve this answer


























        1












        1








        1







        Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):



        Allow Bob's IP (192.168.1.100) to SSH to the default port (22)



        $ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT


        And block Alice's SSH access



        $ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP


        To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:



        $sudo iptables -L --line-numbers | grep 10.1.0.200
        
num  target     prot opt source               destination
        
1    DROP       tcp  --  10.1.0.200           anywhere             tcp dpt:ssh /* Do not allow Alice to SSH in */
        

        
$ sudo iptables -D INPUT 1


        or, to do the same with a single command:



        $ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}


        And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.



        I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.






        share|improve this answer













        Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):



        Allow Bob's IP (192.168.1.100) to SSH to the default port (22)



        $ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT


        And block Alice's SSH access



        $ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP


        To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:



        $sudo iptables -L --line-numbers | grep 10.1.0.200
        
num  target     prot opt source               destination
        
1    DROP       tcp  --  10.1.0.200           anywhere             tcp dpt:ssh /* Do not allow Alice to SSH in */
        

        
$ sudo iptables -D INPUT 1


        or, to do the same with a single command:



        $ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}


        And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.



        I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 19 at 0:51









        L.RayL.Ray

        35118




        35118






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464538%2ftemporarily-restrict-logins-for-a-user-to-a-single-ip%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

            Image
            0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
            Read more

            is 'sed' thread safe

            Image
            2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
            Read more

            How to make a Squid Proxy server?

            Image
            1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
            Read more