sftp and utmp
Jochen Bern
Jochen.Bern at binect.de
Tue Apr 4 03:29:47 AEST 2023
On 30.03.23 22:43, François Ouellet wrote:
> We need to limit concurrent sftp logins to one per user (because of bad
> client behaviour). Is there any way to achieve this I have overlooked?
What authentication method(s) do your users use?
On our Internet-facing SFTP server, by default (few exceptions), we
accept only pubkey auth and require users to (un)install pubkeys through
us. In order to keep that latter out of users' hands, we use
AuthorizedKeysCommand (rather than AuthorizedKeysFile) pointing to a
little shell script (that has to look up and copy the acceptable pubkeys
for the user to stdout). Inserting a "ps" to look for ongoing logins of
the same user, and having the script exit without any output if found,
should be easy ...
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication no
> Subsystem sftp internal-sftp
[...]
> Match group JUST-SFTP_USERS_GROUP
> ChrootDirectory %h
[...]
> ForceCommand internal-sftp -l INFO -u 0077
[...]
> AuthorizedKeysCommand AKC_SCRIPT
> AuthorizedKeysCommandUser AKC_USER
> $ cat AKC_SCRIPT
> #!/bin/sh
[...]
> MANDANT="$1"
> if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then
> # Unsupported characters in username. Refuse to work.
> $LOG.warning "Invalid username: $MANDANT"
> exit 0
> fi
[...]
> if [ -r "$MAIN_FILE" ]; then
> MAIN=`grep -c '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE"`
> grep '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE" | sed -e 's/^ *#'"$MANDANT"'# *//'
> fi
[...]
> exit 0
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230403/05a2a06f/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list