<div dir="ltr"><br><div class="gmail_extra">On Mon, Nov 12, 2012 at 10:54 AM, Oleg Goldshmidt <span dir="ltr"><<a href="mailto:pub@goldshmidt.org" target="_blank">pub@goldshmidt.org</a>></span> wrote:<br><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Mon, Nov 12, <a href="tel:2012" value="+9722012">2012</a> at 10:40 AM, Elazar Leibovich <<a href="mailto:elazarl@gmail.com">elazarl@gmail.com</a>> wrote:<br>
<br>
> No problem with my scheme, if sshd won't kill old sessions, new sessions<br>
> will... (or maybe I misunderstand you).<br>
<br>
</div>No, I misunderstood you... Sorry.<br>
<br>
Killing existing active sessions in mid-flight seems hairy. You want<br>
to prevent two admins from tweaking the server simultaneously, and the<br>
latecomer may kill the session of the one who is already working,<br>
maybe in the middle of editing a configuration file, moving a bunch of<br>
data, whatever? Is it possible to leave a server in an<br>
unknown/inconsistent state?<br></blockquote><div><br></div><div>Of course, the user should be notified beforehand and decide if he indeed want to kill other session, the killed user should also get a notification on his terminal. (it was just a draft, it's probably not even working, I didn't run it). Joe will see that Moe has a session, and will ask him what he's doing. But he'll never be able to log in simultaneously.</div>
<div><br></div><div>Yeah, that policy might force a kill -9 in some rare state (someone left an active session and was sick, now we have to log in and kill his session). But in the long run I think it'll prevent more problems. Hey, this session might have something to do with what you're working on, so if you don't kill it, you might also end up in an inconsistent state.</div>
<div><br></div><div>Moreover, you should probably look at at the log before killing this session, and make sure you understand what he was doing. Understanding that from a concurrent log, is a much more difficult job. Enforcing the rule of one-session-at-a-time have benefit in this area as well.</div>
<div><br></div><div>You could accomplish that with a read-only user which can log in concurrently.</div><div><br></div></div></div></div>