sftp and utmp
hvjunk at gmail.com
Fri Mar 31 08:14:26 AEDT 2023
> On 30 Mar 2023, at 23:12, hvjunk <hvjunk at gmail.com> wrote:
> I've been battling similar issues, and the only methods I've found (with sftp) was to use
> software like pureftd
oops, I meant ProFTPD (Keep swapping those two as I had need for each in different cases!)
> or crushftp (using crushftp lately as production) that does handle these
> issues "out of the box"
> Other than that, I'd expect you'll need to write your own PAM modules to track the accounting part to
> enforce the limits yourself, as you'll need to account for the sftp different from the terminal sessions
>> On 30 Mar 2023, at 22:43, François Ouellet <franco at sol.mpact.tv> wrote:
>> We need to limit concurrent sftp logins to one per user (because of bad
>> client behaviour). Is there any way to achieve this I have overlooked?
>> It seems it could be possible with pam_limits, if sftp sessions were
>> recorded in utmp (a guess from what I found googling around). If I
>> configure /etc/security/limits.conf with
>> testuser hard maxlogins 1
>> and connect with ssh, and try a second connection with sftp, the sftp
>> fails because there is already one session open. But if I connect with
>> sftp and try a second sftp connection, it is allowed.
>> Is there some way to have sftp connections recorded in utmp? I haven't
>> found any reference to this. There are some posts from 10+ years ago
>> where others were trying the same thing but there's no reply about how
>> to do it. Would it be possible to add this option?
>> We're using ChrootDirectory and ForceCommand internal-sftp, if it makes
>> a difference (I've tried without and had the same results).
>> Tried this on Debian bookworm's openssh-server (9.2). The changelog
>> from 9.3 does not mention anything related to this.
>> Thank you,
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev