3

Is there any way that stop ssh logins without confirmation? When anyone wants to login to my computer, I am prompted by ssh to confirm the login before it is successful.

In our university lab, all computers have common usename and passwords so that anyone, students mainly, can access the computers. I need a way so that that can ssh prevent logins until I confirm.

Similarly, is there a log file I can use so that I know if anyone is accessing my computer?

Anna
  • 2,110
shantanu
  • 8,599

2 Answers2

3

SSH was not designed for such on-demand access. However, if shell access (or file transfer) is the only thing you've to worry about, you've to restrict the possibilities for SSH and add a script that does not launch a shell unless you allow to.

For the SSH limiting part, I took a part of How to create a restricted SSH user for port forwarding?. Edit /etc/ssh/sshd_config and add:

Match user your-username
    AllowAgentForwarding no
    ForceCommand ~/bin/ssh-confirm

Create the executable ~/bin/ssh-confirm (mode 755) and create a script/ program in the language at your choice that make you need to confirm before dropping a SSH shell, e.g.:

#!/bin/bash
confirmfile="$HOME/allow-ssh-for-pid-$$"
if [ -f "$confirmfile" ]; then
    echo "Old confirmation file found for the SSH session, exiting!"
    exit 1
fi
# wait for a grant for 30 seconds before giving up
for ((i=0; i<30; i++)); do
    if [ -f "$confirmfile" ]; then
        rm "$confirmfile"
        exec "$SHELL"
    fi
    sleep 1
done
echo "SSH access timed out."
exit 1

This would require you to create the file "allow-ssh-for-pid-$$" where $$ is the pid of the script executed from SSH. You can use ps, pidof, etc for determining the PID. Of course, it could be more sophisticated like alerting you through notify, but I'll assume that people will give you a ring if they try to access you.

Also, I assume you trust the people you grant SSH access. If not, create a separate user (without sudo permissions of course ;) ) and store the ssh-confirm on a place like /usr/local/bin and store access tokens somewhere else.

SSH login attempts (and logouts) are logged to /var/log/auth.log. Run w to get a list of logged in users (note: you'll get multiple entries for terminals you open on your machine, pay attention to the FROM column).

Community
  • 1
Lekensteyn
  • 174,277
  • I did not know about w. This is a command that I have been wondering about for years, and now wonder why nobody told me existed! – Anna Oct 14 '11 at 21:17
  • 1
    @Anna: finger is another funny one. – Lekensteyn Oct 14 '11 at 21:20
  • haha been a while since that command came up! thanks for the amusement, just pasted the command and its output to my girlfriend that I just got using my vps yesterday, much hilarity and levity is sure to ensue! – Anna Oct 14 '11 at 21:55
0
/var/log/auth.log

This is where you can view a login history. I'm not sure if there's an elegant solution to what you're thinking of with controlling access, however, as all I can think of is some kind of crazy scheme where you use rsync or something like that to revoke and re-instate the SSH keys as needed.

Anna
  • 2,110