how to "kick" a shell user

[Tenaka]

I have been unsuccessful in finding the right way to logout a user who did not log out from his session by using google although I have been searching for severall hours. maybe I was using the wrong serach terms, or whatever,

if I use who I see a user ist still loggesd into my system, he is a legitimate user whose session might have been interrupted by a failure. I have googled around and only found the advice to use skill with the user but that does not seem to work.

anyone more specific instructions? (I haven't yet read the man page for skill but is skill the solution or is there another command for this?)

[till]

You can remove them with the kill command. Example:

kill -9 PID

Where PID is the process ID of the lost session.

[Tenaka]

so you mean if the lost session was a ssh one, I should see a zombie process or maybe running process of sshd belonging to this user?

[till]

Quote:

Originally Posted by Tenaka

so you mean if the lost session was a ssh one, I should see a zombie process or maybe running process of sshd belonging to this user?

Yes, you can try this. Make an SSH session for a user with e.g. putty by looging in, then close putty without logging out. When you login as root and execute "ps -aux" you will see the old SSH session in the process list.

But normally it is not nescessary to kill them manually, as SSH will kill lost sessions after some time.

[falko]

You should see something like this:

Code:

root      2481  0.0  1.0 14452 2040 ?        Ss   12:52   0:00 sshd: root@pts/1
root      2484  0.0  0.8  2980 1624 pts/1    Ss   12:52   0:00 -bash

The first line is for a user logged in as root over SSH, the second one is working directly on the system.

To kill the first process run

Code:

kill -9 2481

to kill the second:

Code:

kill -9 2484

[Tenaka]

strange:

Quote:

hxxxx:/var/www/web7/user/web7_postmaster# who
web7_pos pts/1 Oct 28 18:06 (82.77.xxx.xxx)
falko pts/2 Oct 9 13:29

so falko is logged on, right?

Quote:

hxxxx:/var/www/web7/user/web7_postmaster# uptime
18:13:46 up 37 days, 18:24, 2 users, load average: 0.19, 0.10, 0.10

seems to be right.

Quote:

hxxxx:/var/www/web7/user/web7_postmaster# ps aux |grep falko
root 27271 0.0 0.1 1992 700 pts/1 S+ 18:14 0:00 grep falko

It should show me a process of falko here, right? but it doesn't. this seems to be my own personal ghost in the machine

[till]

Hi,

you are logged in as root? Then you can try this:

ps -aux | grep 'pts/2'

If you dont get any valid output, i recommend to call for a GostBuster
Or in case of a server rootkit-hunter http://www.rootkit.nl

[Tenaka]

I am logged in as web7_postmaster, then did a sudo su

Quote:

hxxxx:/etc/logcheck# ps aux | grep 'pts/2'
web7_po 28061 0.0 0.4 6580 2564 ? S 18:25 0:00 sshd: web7_postmaster@pts/2
web7_po 28062 0.0 0.3 3768 1908 pts/2 Ss 18:25 0:00 -bash
root 28065 0.0 0.3 3208 1752 pts/2 S 18:25 0:00 bash
root 30999 0.0 0.1 2388 868 pts/2 R+ 18:59 0:00 ps aux
root 31000 0.0 0.1 1992 700 pts/2 S+ 18:59 0:00 grep pts/2

[falko]

Why don't you simply run

Code:

ps aux

as root and have a look at all running processes instead of messing around with grep?

[Tenaka]

well, a ps aux does not show a process related to falko either...
might be an error of who, I have to further study this using google.
you see I was just wondering, because after installing hotsanic, I realized I had constantly one logged in user, so I found who and wondered how to kick this one user,... strange I have to look this up, how who finds out who is logged in, maybe it uses cached data or whatever..