When a user is created, the user generally has an unlimited number of simultaneous logins. This, I think, is generally not a good idea. There should be a limit to the number of virtual terminals that a user can open simultaneously. Those users who just cannot resist opening many terminals should seriously consider installing screen (sudo apt-get install screen - Debian; yum install screen – RedHat, Fedora and others).
The secret to this is this file: /etc/security/limits.conf. This file, which is owned by root is readable by all users but only writeable by the file owner (root): -rw-r--r--.
This file consists of four columns; domain, type, item and value.
domain: this consists of usernames, group-names (expressed using the @groupname e.g @finance, @marketing etc). The asterisk (*) implies everybody.
type: this value can be one of two; soft or hard limit. A soft limit is one that may be temporarily exceeded by the user. A hard limit cannot be exceeded by a user under any circumstances.
item: This can be one of the following;
- core
- limits the core file size (KB)
- data
- max data size (KB)
- fsize
- maximum filesize (KB)
- memlock
- max locked-in-memory address space (KB)
- nofile
- max number of open files
- rss
- max resident set size (KB)
- stack
- max stack size (KB)
- cpu
- max CPU time (MIN)
- nproc
- max number of processes
- as
- address space limit (KB)
- maxlogins
- max number of logins for this user
- maxsyslogins -
max number of logins on the system
- priority
- the priority to run user process with
- locks
- max number of file locks the user can hold
- sigpending
- max number of pending signals
- msgqueue
- max memory used by POSIX message queues (bytes)
- nice
- max nice priority allowed to raise to values: [-20, 19]
- rtprio
- max realtime priority
- chroot
- change root to directory (Debian-specific)
The bold values above are the ones of interest for this particular post. The descriptions next to the values are fairly self explanatory.
value: this is the actual value that is to be compared against. It can be numeric or a system path where appropriate. So, to limit the number of simultaneous logins for a specified user, do this;
username hard maxlogins 3
username
- is the username of the user whose number of simultaneous logins you
want to restrict.
You can separate the
values using a single tab. This restricts user (username) to a
maximum of 3 logins.
The nice thing about
this is that as soon as you successfully save the file, the security
policy is immediately enforced.
