How to restrict members of a certain group to one login per user?

I have an ssh server. Some of my users login several times simultaneously; some of those who are doing that should not be, and I suspect account sharing. The ones who shouldn't are all members of a particular unix group.

What I'd like is a way to restrict the number of concurrent logins that members of group 402 can have to "one each", with the most recent login taking precedence.

That last bit is important; these users sometimes legitimately lose their connection to the machine and need to re-establish it, and I don't want them to be locked out of the machine because there's a hanging session which they can't kill. Instead, I want a new authenticated connection attempt to automatically disconnect the old one.

Does anyone do anything like this? Has anyone any clever PAM-based or similar suggestions?

Believe you could use /etc/security/limits.conf to enforce this, syntax is:

<domain> <type> <item> <value>

So a working line might looks like:

@402 hard maxlogins 1

As for the lost sessions, could you set a low ClientAliveInterval in sshd to ensure dead sessions don't hang around for too long?

Use MaxSessions directive in sshd_config.

Match Group groupname
MaxSessions 1
ClientAliveInterval 30
ClientAliveCountMax 1

At the end of your file so that values are overriden only for the group groupname (you must use name, not numerical ID). If the client does not respond for more than one message sent every 30s, the client will be disconnected. You can fiddle with numerical values to your satisfaction. Seems to work on my RHEL 6.