sftp and utmp

Jochen Bern Jochen.Bern at binect.de
Tue Apr 4 03:29:47 AEST 2023

On 30.03.23 22:43, François Ouellet wrote:
> We need to limit concurrent sftp logins to one per user (because of bad
> client behaviour).  Is there any way to achieve this I have overlooked?

What authentication method(s) do your users use?

On our Internet-facing SFTP server, by default (few exceptions), we 
accept only pubkey auth and require users to (un)install pubkeys through 
us. In order to keep that latter out of users' hands, we use 
AuthorizedKeysCommand (rather than AuthorizedKeysFile) pointing to a 
little shell script (that has to look up and copy the acceptable pubkeys 
for the user to stdout). Inserting a "ps" to look for ongoing logins of 
the same user, and having the script exit without any output if found, 
should be easy ...

> PasswordAuthentication no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication no
> Subsystem       sftp    internal-sftp
>         ChrootDirectory %h
>         ForceCommand internal-sftp -l INFO -u 0077
>         AuthorizedKeysCommand AKC_SCRIPT
>         AuthorizedKeysCommandUser AKC_USER

> $ cat AKC_SCRIPT
> #!/bin/sh
> MANDANT="$1"
> if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then
>         # Unsupported characters in username. Refuse to work.
>         $LOG.warning "Invalid username: $MANDANT"
>         exit 0
> fi
> if [ -r "$MAIN_FILE" ]; then
>         MAIN=`grep -c '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE"`
>         grep '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE" | sed -e 's/^ *#'"$MANDANT"'# *//'
> fi
> exit 0
Kind regards,
Jochen Bern

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230403/05a2a06f/attachment-0001.p7s>

More information about the openssh-unix-dev mailing list