Home/ Questions/Q 7617025
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T03:02:28+00:00

Is it possible to have a PAM module that checks to see if a

  • 0

Is it possible to have a PAM module that checks to see if a user attempting login via OpenSSH is already logged in and if they are then deny the 2nd login?

I’ve tried several other way to prevent more than one login session but nothing is working, if someone can confirm this is doable using a custom PAM module I’d be very grateful, thanks.

I noticed the limits.conf works ok when I comment out the sftp config:

# SFTP + Port Forwarding Only for Normal Users
# Create home directory in /home/%u and set permissions to user / sftponly
# then do a usermod -d / user
# In Tunnelier set user home to /home

#Subsystem sftp /usr/lib/openssh/sftp-server

#Match group sftponly
#ChrootDirectory /home/%u
#X11Forwarding no
#AllowTcpForwarding yes
#ForceCommand internal-sftp

but it breaks the sftp.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could check the number of active login sessions using utmp or utmpx, a simple loop something like this:

    #include <utmpx.h>

int get_num_login_sessions( const char* username )
{
    int num_active_sessions = 0;
    struct utmpx* ent = NULL;
    setutxent();
    while( (ent = getutxent()) != NULL )
    {
        if( ent->ut_type == USER_PROCESS &&
            strcmp(username, ent->ut_user) == 0 )
        {
            num_active_sessions++;
        }
    }
    endutxent();
    return num_active_sessions;
}

    See the wikipedia entry for utmp: http://en.wikipedia.org/wiki/Utmp

    If you created a pam module that did this and stacked it at the top of your auth stack you could fail if the number of active sessions was more than 0 (so long as your module was stacked as requisite or required).

    • 0