sftp and utmp

François Ouellet franco at sol.mpact.tv
Tue Apr 4 00:12:21 AEST 2023 

Le Monday, 3 April 2023, 00:05:25 EDT Damien Miller a écrit :
> On Thu, 30 Mar 2023, François Ouellet wrote:
> 
> > Hi,
> > 
> > We need to limit concurrent sftp logins to one per user (because of bad
> > client behaviour).  Is there any way to achieve this I have overlooked?
> > 
> > It seems it could be possible with pam_limits, if sftp sessions were
> > recorded in utmp (a guess from what I found googling around).  If I
> > configure /etc/security/limits.conf with
> > 
> >   testuser hard maxlogins 1
> > 
> > and connect with ssh, and try a second connection with sftp, the sftp
> > fails because there is already one session open.  But if I connect with
> > sftp and try a second sftp connection, it is allowed.
> > 
> > Is there some way to have sftp connections recorded in utmp?  I haven't
> > found any reference to this.  There are some posts from 10+ years ago
> > where others were trying the same thing but there's no reply about how
> > to do it.  Would it be possible to add this option?
> 
> We've been asked about this a number of times before - the problem is
> that utmp is really set up to record interactive logins that have a
> TTY/PTY assigned. There is AFAIK no real standard for recording
> "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp
> and many OS utmp implementation lack fields by which this could be
> communicated.
> 
> IIRC we toyed with recording something fake like "sftp" in ut_line
> but that caused problems as none of the other tools were set up to
> accept it.

Is there an archive of the discussion of the problems it brings to the
other tools?  I'd like to understand the issues.

What other tools are impacted?  If I don't need them, would it be 
possible to think about adding an option to enter fake utmp entries for
interal-sftp sessions (or any other subsystem, I'm only seeing my own
little problem here)? 

Could I find some code from those tests from some time ago and apply
it locally?  Was there anything publicly available?  A quick glance
at the code was not enough for me to see anything obvious that could
be done.

I still have some (small) hope of achieving what I need with pam_limits
and nproc if the fake utmp entry is not possible...

Thanks,

François

More information about the openssh-unix-dev mailing list