mercoledì 18 giugno 2014

Restricting SSH sessions for accounts on ubuntu server

If you look at man sshd_config, you can see that there is an option for MaxSessions. Unfortunately, this is the maximum number of sessions per network connection, not the maximum number for a specific user.
One thing you can do is set UsePAM yes in /etc/ssh/sshd_config, then configure PAM to handle the user limits by enabling the PAM module pam_limits.so. If you only want the limits to apply to ssh sessions, add the following line to /etc/pam.d/sshd:
 
session required pam_limits.so

I'm pretty sure all of the above stuff is the default configuration, now comes the part that actually sets the limit. pam_limits.so pulls its limits from /etc/security/limits.conf. If you want a user to only be able to have one active session at a time, just add the following line to that file:
 
user    hard    maxlogins    1

Once this is set up, on any log in attempt when there's already an active session, the user will get the error Too many logins for 'user'. To make this apply to all users, use * for the user. You can also have it apply to certain groups, for instance, use @users to apply to rule to everyone in the users group.

Procedure to change OpenSSH pre login banner


1) By default sshd server turns off this feature.

2) Login as the root user; create your login banner file:
# vi /etc/ssh/sshd-banner
Append text:
Welcome to nixCraft Remote Login!

3) Open sshd configuration file /etc/sshd/sshd_config using a text editor:
# vi /etc/sshd/sshd_config

4) Add/edit the following line:
Banner /etc/ssh/sshd-banner

5) Save file and restart the sshd server:
# /etc/init.d/sshd restart