Description
Dynamically limit user logins by IP using pam_exec module. Effectively pinning a user to an IP until they are fully disconnected
pam_ssh_limit_ip alternatives and similar tools
Based on the "SSH" category.
Alternatively, view pam_ssh_limit_ip alternatives based on common mentions on social networks and blogs.
-
Gravitational Teleport
The easiest, and most secure way to access and protect all of your infrastructure. -
KeyBox
Bastillion is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. -
ShellHub
:computer: Get seamless remote access to any Linux device. Centralized SSH for the edge and cloud computing -
SSH Power Tool
Execute commands and upload files to many servers simultaneously without using pre-shared keys.
CodeRabbit: AI Code Reviews for Developers
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of pam_ssh_limit_ip or a related project?
README
pam_ssh_limit_ip
Dynamically limit user logins by IP using pam_exec module. Effectively pinning a user to an IP until they are fully disconnected
What this is
Basically an idea I had and now a proof of concept. I also like using pam_exec when I don't want to write a custom module in C. Maybe this will give some other people ideas of what to do with the PAM auth subsystem - its very powerful and flexible!
What this isn't
A perfect or probably a "real" solution - its more of a deterrent and a pet project I wanted to see if I could do
Why?
I needed a way to limit people by IPs connecting via SSH. Effectively I wanted to "pin" a user to an IP until they had no more connections from that IP. Once disconnected, they can log in from another IP. A lot of the solutions I found would have required constant changes to support and this didn't scale well enough for me.
In its shortest example: Say you have User A and User B sitting in the same VLAN at your office and you dont want them sharing SSH account "myapp" at the same time. This makes it so they cant, without an additional hop / annoyance to them
- like User B SSH'ing to User A's desktop and then bouncing off of his machine in to the server in question
Why PAM?
SSH allows you to use Match blocks but this was too much of a static configuration for me. I needed something more event driven
SSH ForceCommand is run after the users environment is loaded, so there are ways around it
/etc/profile.d is loaded every time a shell is loaded. So maybe could have been leveraged but more hacks to put in to make sure we were an SSH connection
PAM has an sshd file which I leveraged. I can then guarantee that this check is done in memory/processing and the user is not able to break out of it. Further, its the last step before invoking a TTY to a user
Had all the information I needed
Next?
- Make it more self sufficient. Dont rely on w command output and ping command output
Install
- Copy etc/pam_session.sh to /etc/ and then chmod 755 /etc/pam_session.sh
- Update /etc/pam.d/sshd and place the following line at the bottom of the file
session required pam_exec.so seteuid stdout /etc/pam_session.sh