Restrict SSH connections
Amit Prajapati
amit.subscription at gmail.com
Wed Feb 26 20:40:16 AEDT 2020
Thanks for the response Jakub.
user1 - maxlogins 5
Does the pam_limits gets applied on per user basis?
My requirement is to limit the total number of ssh sessions (say 5) to the
SSH server from any user,
The requirement is irrespective of the group or a user.
E.g.
Say if a user (userA) has created 5 ssh connections, no other user should
be allowed to connect to the SSH server
or if userA has created 3 sessions, then two more sessions can be create
by any other user.
Could you please help me on how can I achieve this with pam_limits.
Thanks & Regards,
Amit
On Wed, Feb 26, 2020 at 1:24 PM Jakub Jelen <jjelen at redhat.com> wrote:
> On Tue, 2020-02-25 at 11:44 +0100, mlrx wrote:
> > Le 25/02/2020 à 10:56, Amit Prajapati a écrit :
> > > Hi,
> > >
> > > Is there a way to restrict the number of active SSH client
> > > connections to
> > > an sshd server.
> > >
> > > Thanks & Regards,
> > > Amit
> >
> > Hi,
> >
> > (Not a specialist but I make a try. It seems to be a good way to
> > learn.)
> >
> > It seems to be only possible on the server configuration.
> >
> > Clever or not, maybe use some conditional parameters in
> > sshd_config ?
> > Something like:
> >
> > Match Group adminA
> > MaxSessions 8
> > Match Group adminB
> > MaxSessions 4
> > Match User UserA
> > MaxSessions 1
> > Match User UserB
> > MaxSessions 2
>
> This does not limit connections, but only multiplexed sessions inside a
> single connection.
>
> To limit amount of shells, you can use pam_limits [1], but it does not
> catch non-shell connections such as sftp, port forwarding, jumps to
> other servers and so on. For that, you need to use something home-
> cooked or some non-standard tool.
>
> https://serverfault.com/a/245348/186199
>
> Regards,
> --
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list