Limit number of connections per user?

Goran Hasse gorhas at gmail.com
Fri Apr 16 14:06:07 EST 2010


Then plan from the beginning how to handle aliased interfaces!

On FreeBSD it could look like:

ifconfig -a
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	inet 192.5.36.21 netmask 0xfffffff0 broadcast 192.5.36.31
	inet 192.5.36.24 netmask 0xffffffff broadcast 192.5.36.24
	inet 192.168.10.10 netmask 0xffffffff broadcast 192.168.10.10
	inet 192.168.10.11 netmask 0xffffffff broadcast 192.168.10.11
	inet 192.168.10.12 netmask 0xffffffff broadcast 192.168.10.12
	inet 192.170.10.1 netmask 0xffffffff broadcast 192.170.10.1
	inet 192.170.10.2 netmask 0xffffffff broadcast 192.170.10.2
	inet 192.170.10.3 netmask 0xffffffff broadcast 192.170.10.3
	inet 192.170.10.4 netmask 0xffffffff broadcast 192.170.10.4
	ether 00:50:22:40:2c:23
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active

The interface is listening for all those ip numbers! And of course I
could come from a machine
with many interfaces going over different routes.

This is the one and same machine!

de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.5.36.2 netmask 0xfffffffc broadcast 192.5.36.3
	inet6 fe80::2e0:29ff:fe0f:a097%de0 prefixlen 64 scopeid 0x1
	inet 192.5.36.10 netmask 0xffffffff broadcast 192.5.36.10
	ether 00:e0:29:0f:a0:97
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.5.36.17 netmask 0xfffffff0 broadcast 192.5.36.31
	inet6 fe80::2e0:29ff:fe0f:a096%de1 prefixlen 64 scopeid 0x2
	ether 00:e0:29:0f:a0:96
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.5.36.81 netmask 0xfffffff0 broadcast 192.5.36.95
	inet6 fe80::204:e2ff:fe1f:bd76%dc0 prefixlen 64 scopeid 0x3
	ether 00:04:e2:1f:bd:76
	media: Ethernet autoselect (none)
	status: no carrier
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.5.36.49 netmask 0xfffffff0 broadcast 192.5.36.63
	inet6 fe80::204:e2ff:fe1f:bd0e%dc1 prefixlen 64 scopeid 0x4
	ether 00:04:e2:1f:bd:0e
	media: Ethernet autoselect (none)
	status: no carrier
dc2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.5.36.33 netmask 0xfffffff0 broadcast 192.5.36.47
	inet6 fe80::204:e2ff:fe1f:bd6c%dc2 prefixlen 64 scopeid 0x5
	ether 00:04:e2:1f:bd:6c
	media: Ethernet 100baseTX
	status: active
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.5.36.97 netmask 0xfffffff0 broadcast 192.5.36.111
	inet6 fe80::250:bfff:fe2f:46c4%ed0 prefixlen 64 scopeid 0x6
	ether 00:50:bf:2f:46:c4

So you have to define what "the same user from different IP adresses" means!

GH

2010/4/16 Damien Miller <djm at mindrot.org>:
> On Thu, 15 Apr 2010, Scott Neugroschl wrote:
>
>> I'm working from modified 5.0p1 codebase.
>>
>> What I'm looking for is a mechanism to limit the number of
>> simultaneous connections on a per-user/IP basis. That is, disallow
>> multiple simultaneous logins/authentication of the same user from
>> different IP addresses.
>
> There isn't any way to do this at present and adding the ability would
> be a little tricky. The master server would need to maintain some state
> for each connection that is active so it can apply the rules.
>
> I have vague plans to get the listening server maintaining similar state
> for another reason (to track and act on frequent abnormal terminations),
> so the infrastructure might happen eventually.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
gorhas at gmail.com
Mob: 070-5530148


More information about the openssh-unix-dev mailing list