sftp and utmp
hvjunk
hvjunk at gmail.com
Fri Mar 31 08:14:26 AEDT 2023
> On 30 Mar 2023, at 23:12, hvjunk <hvjunk at gmail.com> wrote:
>
> I've been battling similar issues, and the only methods I've found (with sftp) was to use
> software like pureftd
oops, I meant ProFTPD (Keep swapping those two as I had need for each in different cases!)
> or crushftp (using crushftp lately as production) that does handle these
> issues "out of the box"
> Other than that, I'd expect you'll need to write your own PAM modules to track the accounting part to
> enforce the limits yourself, as you'll need to account for the sftp different from the terminal sessions
>
>
>
>> On 30 Mar 2023, at 22:43, François Ouellet <franco at sol.mpact.tv> wrote:
>>
>> Hi,
>>
>> We need to limit concurrent sftp logins to one per user (because of bad
>> client behaviour). Is there any way to achieve this I have overlooked?
>>
>> It seems it could be possible with pam_limits, if sftp sessions were
>> recorded in utmp (a guess from what I found googling around). If I
>> configure /etc/security/limits.conf with
>>
>> testuser hard maxlogins 1
>>
>> and connect with ssh, and try a second connection with sftp, the sftp
>> fails because there is already one session open. But if I connect with
>> sftp and try a second sftp connection, it is allowed.
>>
>> Is there some way to have sftp connections recorded in utmp? I haven't
>> found any reference to this. There are some posts from 10+ years ago
>> where others were trying the same thing but there's no reply about how
>> to do it. Would it be possible to add this option?
>>
>> We're using ChrootDirectory and ForceCommand internal-sftp, if it makes
>> a difference (I've tried without and had the same results).
>>
>> Tried this on Debian bookworm's openssh-server (9.2). The changelog
>> from 9.3 does not mention anything related to this.
>>
>> Thank you,
>>
>> François
>>
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list