Conditionally stop interactive and non-interactive ssh login and give error message

Gqqnbig

10/23/22, 1:34 PM

I want to prevent interactive and non-interactive ssh login based on a conditional logic. I need to test the username and give an error message.

People using sftp (non-interactive ssh) should also be subject to the luckness test.

How would I implement that? I have full control of the system.

I tried to use sshd ForceCommand, but according to https://stackoverflow.com/a/33714333/746461 it does not work for notty.

I'm not familiar with PAM and I doubt if PAM can output custom error message in case the login is interactive.

https://linuxhint.com/understanding_bash_shell_configuration_startup/ says non-interactive login shell with --noprofile option can bypass all bash config files. That's why I can't write my logic there.

101

1 + 2

ssh

sftp

pam

20.04

Jeff Schaller

10/23/22, 5:26 PM

I would recommend a slightly different approach and put users into a group, then using sshd_config's Match Group directive to force a /bin/false type command.

Gqqnbig

10/24/22, 2:29 AM

@JeffSchaller Can you comment on https://stackoverflow.com/a/33714333/746461 ? I thought it's saying ForceCommand does not work for notty

Score:2

Ubuntu

Gqqnbig

10/24/22, 4:22 AM

I figured out. I can implement a PAM module to do that.

Save the following to, say, file /root/checkConnections.

#! /bin/bash

limit=$1
c=$(pgrep -xcu $PAM_USER sshd)
if [[ $c -ge "$limit" ]]; then 
    echo "Max $limit ssh connections allowed, but you have $c."
    exit 1
fi

Then in /etc/pam.d/sshd, add

session required pam_exec.so stdout /root/checkConnections 5

pam_exec.so executes the shell script, stdout outputs messages to user terimal.

When the condition fails, the effect is like this.

$ ssh localhost
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-74-generic x86_64)

94 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Max 5 ssh connections allowed, but you have 5.
/root/checkConnections failed: exit code 1
Last login: Thu Jun 24 12:19:27 2021 from 172.18.33.67
Connection to localhost closed.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Conditionally stop interactive and non-interactive ssh login and give error message

TH: หยุดการเข้าสู่ระบบ ssh แบบโต้ตอบและไม่โต้ตอบแบบมีเงื่อนไข และให้ข้อความแสดงข้อผิดพลาด

RO: Opriți condiționat autentificarea ssh interactivă și non-interactivă și trimiteți un mesaj de eroare

RU: Условно остановить интерактивный и неинтерактивный вход по ssh и выдать сообщение об ошибке

VI: Có điều kiện dừng đăng nhập ssh tương tác và không tương tác và đưa ra thông báo lỗi

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.