SUMMARY: SunOS5: Restricting logins

From: Peter Hesse (hessep@gb.swissbank.com)
Date: Tue Jul 02 1996 - 05:50:05 CDT


Last week I asked:

>Is it possible to restrict the number of people simultaneously logged
>into a host running SunOS 5.4 or 5.5?

As usual, the replies came quickly. Many thanks to those who replied:

M.Toth-Abonyi@cc.u-szeged.hu (Toth-Abonyi Mihaly)
Tony Ching-Tung Wu <tonywu@keelung.transend.com.tw>
Andre Gustavo de Carvalho Albuquerque <gus@Condor.eme.eb.mil.br>
nobroin@esoc.esa.de (Niall O Broin - Gray Wizard)
Robbie Honerkamp <robbie@tomservo.mindspring.com>
"Edgar V.S. Der-Danieliantz" <edd@aic.net>
"Bushman, Gonzo" <BUSHMAN@comswsys.tinkernet.af.mil>

It certainly is possible. Sorry for the tardy summary; mailtool died
just before I finished the writeup. (mailtool keeps text in memory,
not on disk. When it dies it takes all trace of the text with it.
Trawling an 11 Mb core file was no help. Sun, take note.)

Despite asking about restricting logins, the client really needs
something more specific: Users are connecting from PCs and using xdm
to access an application. They need temporarily to control the number
of application users to limit loading. This cannot be done inside the
application.

This is what I recommended:

1. Configure xdm to suit TS users specifically on the TS machines.

   Use the Xstartup script to control access.
   Use
      w
   or/and
      /usr/ucb/ps auxc|grep 'ts_*'|awk '{print $1}|sort -u
   to find genuine TS users (running ts_*).
   Use
      /usr/ucb/ps auxc|grep Menu2|awk '{print $1}|sort -u
   to spot memory wasting TS users who have been logged out. The
   latter use about 4.5 Mb of real memory even though they are not
   using TS. I saw 40 Mb of memory wasted this way.

   You may want to do more with Xreset and Xsession; you might utilise
   utmp entries.

   Simplify the login mechanism. Menu2 is not really required.
   Without it, TS startup is so fast (~3 seconds; cf. ~3 minutes with
   it) that you could implement separate PC icons for each TS host.
   Resizing can be done directly on the xterm but you must educate the
   users so that they know how to do this and feel comfortable with the
   different (much faster) mechanism.
   
   You could, with care, do this without downtime.

2. Install idled.

   It is available via ftp from
   gcedunet.gac.peachnet.edu:/pub/unix/idled-1.15a.tar.gz

3. /etc/system:

        set pt_cnt = max_number_of_allowed_users # System V
        set npty = max_number_of_allowed_users # BSD

   You may not need to set npty, but some BSD programs (rsh etc.) just
   might need it.

        set maxusers=max_number_of_allowed_users

   I'm unsure of the effect of this under SunOS5.

   /etc/system changes require boot -r so you need to schedule
   downtime.

4. /etc/profile:

   This is a more general variant on reconfiguring xdm. It is more
   complex to restrict just TS users since, without special effort, any
   change here will affect all users. Above all, do not implement a
   mechanism that prevents root or sysadmins from logging in when they
   need to diagnose a problem ie. when the system is falling to bits.

Attached are the replies I received.

Pete
______________________________________________________________________
Peter Hesse | On assignment at:
HASP Limited | SBC Warburg (LONDON)
                        | Voice: +171-711-4566
                        | Email: hessep@gb.swissbank.com
______________________________________________________________________

----- Begin Included Message -----

From: Toth-Abonyi MihalyM.Toth-Abonyi@cc.u-szeged.hu (Toth-Abonyi Mihaly)

You should enter the following set command into your /etc/system file:

set pt_cnt=max_number_of_allowed_users

e.g: set pt_cnt=255

After that reboot your computer.
_____________________________________________________________________
From: Tony Ching-Tung Wu <tonywu@keelung.transend.com.tw>

Yes, the number of people simultaneously logon a host is limited by the
number of pseudo ttys, say 64, 256, so and so. The default is 64 if I can
remember. YOu can change that to any number you want.
______________________________________________________________________
From: Andre Gustavo de Carvalho Albuquerque <gus@Condor.eme.eb.mil.br>

  Try limiting the number of ttyp. . . and ttyq. . in the
  /etc/ttytab

  remeber that for the changes to take effect you have to restart the
  init process (kill -1 1).
______________________________________________________________________
From: nobroin@esoc.esa.de (Niall O Broin - Gray Wizard)

Not directly AFAIK but you can add something into a common profile file (in /etc
profile for sh and ksh users, .login for csh users) which massages the output of
who and logs a user right out if he is the unlucky one.

e.g. you could add this at the start of /etc/profile

MAXUSERS=whatever
NUMUSERS=`who|awk '{print $1}'|sort|uniq|wc -l`

if [ $NUMUSERS -ge $MAXUSERS ] ; then
        echo Tough luck - too many users - BYE BYE
        exit 0
fi

Note that the way NUMUSERS is calculated here will only account for each login
name once, so if you might have the same name used multiple times, you might want
to use something slightly different like

NUMUSERS=`who|awk '{print $2}'|sort|uniq|wc -l`

which sorts on login terminals. Come to think, that's probably a better solution
all around !
______________________________________________________________________
From: Robbie Honerkamp <robbie@tomservo.mindspring.com>

There's a little program called idled that can do all sorts
of magic with user logins. It can log them out after a preset
amount of time, it can kill all logins from a particular IP,
it can start logging out extra user logins after a preset
login limit has been reached, and can prohibit further users
from logging in.

It's ftpable from gcedunet.gac.peachnet.edu, in
/pub/unix/idled-1.15a.tar.gz
______________________________________________________________________
From: "Edgar V.S. Der-Danieliantz" <edd@aic.net>

yes.

system-dependent fashion: see /etc/system or man system

system-independent: write script (who, et al) and insert it in /etc/profile (for sh/ksh users)

second is better, IMHO.
______________________________________________________________________
From: "Bushman, Gonzo" <BUSHMAN@comswsys.tinkernet.af.mil>

There is a parameter in the /etc/system file called maxusers. This
defaults to 8. It is the maximum number of users that can be logged into
the system at a time. If you change this value, you will have to reboot
in order for it to take effect. Also, there are a couple of other
parameters that you may want to look at if you are going to change the
maxusers. These are:

max_nprocs This is the maximum number or processes (default = 10 + 16 *
maxusers)
maxuprc This is the maxumum number of user processes (default =
max_nprocs - 5)
ufs_ninode This is the maximum number of inodes, or files that can be
open at a time
                             (default = max_nprocs + 16 + maxusers + 64)
______________________________________________________________________

----- End Included Message -----



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:03 CDT