sftp and utmp

Damien Miller djm at mindrot.org
Mon Apr 3 14:05:25 AEST 2023


On Thu, 30 Mar 2023, François Ouellet wrote:

> Hi,
> 
> We need to limit concurrent sftp logins to one per user (because of bad
> client behaviour).  Is there any way to achieve this I have overlooked?
> 
> It seems it could be possible with pam_limits, if sftp sessions were
> recorded in utmp (a guess from what I found googling around).  If I
> configure /etc/security/limits.conf with
> 
>   testuser hard maxlogins 1
> 
> and connect with ssh, and try a second connection with sftp, the sftp
> fails because there is already one session open.  But if I connect with
> sftp and try a second sftp connection, it is allowed.
> 
> Is there some way to have sftp connections recorded in utmp?  I haven't
> found any reference to this.  There are some posts from 10+ years ago
> where others were trying the same thing but there's no reply about how
> to do it.  Would it be possible to add this option?

We've been asked about this a number of times before - the problem is
that utmp is really set up to record interactive logins that have a
TTY/PTY assigned. There is AFAIK no real standard for recording
"service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp
and many OS utmp implementation lack fields by which this could be
communicated.

IIRC we toyed with recording something fake like "sftp" in ut_line
but that caused problems as none of the other tools were set up to
accept it.

-d


More information about the openssh-unix-dev mailing list