| === denningsrogue4 is now known as denningsrogue | ||
| === jelly-home is now known as jelly | ||
| === markthomas_ is now known as markthomas | ||
| MIF | is there a way to kill someone off of a ssh? | 19:05 |
|---|---|---|
| andol | MIF: a) Remove their access, and b) Kill their existing sshd kill child process(es) | 19:14 |
| andol | Hmm, one too many kill there I think. | 19:15 |
| MIF | I don't need to remove the access because I just need to lock my self off of my server during certain hours | 19:15 |
| andol | Even easier then. | 19:17 |
| andol | Anyway, something like this ought to do the trick | 19:17 |
| MIF | what do I have to do for that? | 19:17 |
| andol | pkill -u USERNAME sshd | 19:17 |
| MIF | how would I put this into a script? | 19:20 |
| teward | you might prefer a script that is executed at a specific time every day that locks your user at the system level, and then a second script later on that unlocks your user. | 19:21 |
| teward | but that's... tricky in itself | 19:21 |
| teward | it'd also prevent you direct access via console too :P | 19:21 |
| MIF | how would I do that? | 19:21 |
| teward | well there's one other way i can think of that'd work but it'd block all logins. script to disable: pkill -u USERNAME sshd; usermod --shell /usr/sbin/nologin USERNAME | 19:23 |
| MIF | ok | 19:23 |
| teward | script to enable: usermod --shell /bin/bash USERNAME | 19:23 |
| teward | but again this is UNTESTED | 19:23 |
| teward | and you still need to crontab each of these for the root user | 19:23 |
| MIF | ok, I am going to spin up a test user | 19:23 |
| MIF | This account is currently not available. | 19:25 |
| MIF | it works | 19:25 |
| teward | yep now test the enable script | 19:27 |
| teward | and then crontab these `sudo crontab -e` and set the times you need for it to disable/kill SSH sessions and lockout the user. | 19:27 |
| teward | (it also blocks SSH key auth which is why it's a decent solution) | 19:27 |
| teward | but i would suggest that you should just exercise self restraint ;) | 19:28 |
| MIF | that is kinda hard for me to do, and my grades are showing it | 19:28 |
| MIF | how can I check the shell a user is set to? | 19:33 |
| teward | first install `finger` - `sudo apt install finger`. Then this can get it: `finger USERNAME | grep -oP 'Shell: \K.*'` | 19:38 |
| teward | replace USERNAME with the target user | 19:38 |
| MIF | ok | 19:38 |
| teward | alternatively you can try and grep through `/etc/passwd` for the user. Example: `cat /etc/passwd | grep teward` returns "tewardâ1000:1000:Thomas Ward,,,:/home/teward:/bin/bash" - username : password (X means it's in a different location) : default UID : default GID : user details of some sort : home directory : shell | 19:40 |
| teward | alternatively you can try and grep through `/etc/passwd` for the user. Example: `cat /etc/passwd | grep teward` returns "teward:1000:1000:Thomas Ward,,,:/home/teward:/bin/bash" - username : password (X means it's in a different location) : default UID : default GID : user details of some sort : home directory : shell | 19:40 |
| teward | hate weird symbols >.< | 19:40 |
| teward | the final one is the shell but finger kind of reads half the info first. | 19:40 |
| MIF | do you think it would be easier if I set the output to a variable or directly in the if then statement? | 19:41 |
| MIF | I think I am going to stay with finger | 19:41 |
| teward | what if statement | 19:41 |
| teward | you're asking for solutions then referencing things that we haven'tseen :p | 19:41 |
| MIF | sorry, I was asking for a script I am writing to lock my self out of the server, so the first time it ran it will lock me, the second time it would unlock me, the third time it would lock me, ect. | 19:42 |
| teward | don't try and do it with only one scritp | 19:45 |
| teward | do it with two different scripts | 19:46 |
| MIF | Ok | 19:46 |
| teward | one for lockout one for unlock | 19:46 |
| teward | saves you the logic headaches | 19:46 |
| teward | AND you can better audit when each script is ran | 19:46 |
| teward | rather than trying to run a single script and program the proper logic in | 19:46 |
| MIF | Ok | 19:46 |
| teward | sometimes the complexity of doing everything in one script is **too** much for simple things :p | 19:46 |
| MIF | Ok | 19:47 |
| albert23 | isn't pam_time supposed to take care of all that? (man pam_time) | 19:50 |
| teward | ah forgot about that but it requires configuration in /etc/security/time.conf and I don't have examples to block it on ssh only console access | 19:51 |
| teward | but that's in `man time.conf` not `man pam_time` | 19:51 |
| MIF | would pam_time allow me to login via keyboard? | 19:54 |
| MIF | I would prefer a way to get into my server if needed | 19:54 |
| albert23 | I guess that depends where you include pam_time in the other pam modules, for example in /etc/pam.d/sshd | 19:58 |
| MIF | ok | 19:58 |
| albert23 | But I have not used it myself, it was just an idea | 19:58 |
| MIF | Ok | 19:58 |
| MIF | anyone who uses pam_time, would this work? sshd;tty*;nathaniel;Wk0840-1700 | 19:59 |
| teward | MIF: by 'login via keyboard' you mean directly on the device's console? | 20:10 |
| MIF | yes | 20:10 |
| teward | because that's a 'console' time control, if you don't have such a control it wont' block console access | 20:10 |
| MIF | ok | 20:11 |
| MIF | I just need to block ssh access | 20:11 |
| === denningsrogue2 is now known as denningsrogue | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!