How to force administrator logout?

Hello Alex.

There is no forward way to do that.

First of all, you can know who IPs are connected to the device checking socket connections to sshd and httpd daemons.

# netstat -tnp | grep -e httpd -e sshd 
tcp        0      0 192.168.102.41:22           192.168.102.42:55842        ESTABLISHED 18486/sshd
tcp        0      0 192.168.102.41:22           10.90.81.144:61965          ESTABLISHED 16290/sshd
tcp        0      0 ::ffff:192.168.102.41:443   ::ffff:10.90.81.144:53589   ESTABLISHED 9097/httpd

Usernames connected through SSH can be checked by 'who'.

# who
root     pts/0        2020-07-15 19:46 (10.90.81.144)
admin    pts/1        2020-07-15 19:38 (192.168.102.42)

Both systems (SSH/HTTP) usernames connected could be also checked using audit logs by IP.

# cat /var/log/audit | grep 10.90.81.144
Jul 15 19:07:32 kang notice httpd[9098]: 01070417:5: AUDIT - user Administrador - RAW: httpd(mod_auth_pam): user=Administrador(Administrador) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:32 2020".
Jul 15 19:07:58 kang info sshd(pam_audit)[16293]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020" end="Wed Jul 15 19:07:58 2020".
Jul 15 19:07:58 kang info sshd(pam_audit)[16290]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020".
Jul 15 19:08:49 kang info sshd(pam_audit)[16387]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020" end="Wed Jul 15 19:08:49 2020".
Jul 15 19:08:49 kang info sshd(pam_audit)[16384]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020".

After this introduction, let move on your question.

One way to force users to not interact with one specific device is to restrict access to one source IP (or range) for both daemons (sshd/httpd).

tmsh modify sys httpd allow replace-all-with { 192.168.102.0/255.255.255.0 }
tmsh modify sys sshd allow replace-all-with { 192.168.102.0/255.255.255.0 }
tmsh list sys httpd allow
tmsh list sys sshd allow
tmsh save sys config

After that, those users trying to access GUI will get a message indicating that access is forbidden.

In case of SSH users, they have to be forced to disconnect their sessions manually. To do so, you can kill their connections.

who
netstat -tnp | grep sshd
kill -9 <PID>

You can reestablish normal access using these commands.

tmsh modify sys httpd allow replace-all-with { All }
tmsh modify sys sshd allow replace-all-with { All }
tmsh list sys httpd allow
tmsh list sys sshd allow
tmsh save sys config

Regards,

Dario.

Hi Dario,

thank you for taking time and effort to provide complete answer. I erred by excluding critical proviso in my question - I should have written "How to force graceful administrator logout?"

My issue is when a fellow administrator is adamant that he logged-out, yet, I don't see "end=" message in SYSLOG or /var/log/audit .

Every enterprise-grade device has a means to force (graceful) administrator logout - for instance, in FortiOS, "execute disconnect-admin-session". Is it unreasonable to expect same in BIG-IP?

R's, Alex

PS. "Usernames connected through SSH can be checked by 'who'." - I believe F5-sanctioned method is "w" command.

Directory "/var/run/pamcache/" contains files pertaining to current administrative TMUI (GUI) logins. It's sufficient to delete the file to force logout.

I've submitted feature request for TMSH command for both TMSH and SSH logins.