sftp and utmp

hvjunk hvjunk at gmail.com
Fri Mar 31 08:14:26 AEDT 2023



> On 30 Mar 2023, at 23:12, hvjunk <hvjunk at gmail.com> wrote:
> 
> I've been battling similar issues, and the only methods I've found (with sftp) was to use
> software like pureftd

oops, I meant ProFTPD (Keep swapping those two as I had need for each in different cases!)

> or crushftp (using crushftp lately as production) that does handle these
> issues "out of the box"
> Other than that, I'd expect you'll need to write your own PAM modules to track the accounting part to 
> enforce the limits yourself, as you'll need to account for the sftp different from the terminal sessions
> 
> 
> 
>> On 30 Mar 2023, at 22:43, François Ouellet <franco at sol.mpact.tv> wrote:
>> 
>> Hi,
>> 
>> We need to limit concurrent sftp logins to one per user (because of bad
>> client behaviour).  Is there any way to achieve this I have overlooked?
>> 
>> It seems it could be possible with pam_limits, if sftp sessions were
>> recorded in utmp (a guess from what I found googling around).  If I
>> configure /etc/security/limits.conf with
>> 
>> testuser hard maxlogins 1
>> 
>> and connect with ssh, and try a second connection with sftp, the sftp
>> fails because there is already one session open.  But if I connect with
>> sftp and try a second sftp connection, it is allowed.
>> 
>> Is there some way to have sftp connections recorded in utmp?  I haven't
>> found any reference to this.  There are some posts from 10+ years ago
>> where others were trying the same thing but there's no reply about how
>> to do it.  Would it be possible to add this option?
>> 
>> We're using ChrootDirectory and ForceCommand internal-sftp, if it makes
>> a difference (I've tried without and had the same results).
>> 
>> Tried this on Debian bookworm's openssh-server (9.2).  The changelog
>> from 9.3 does not mention anything related to this.
>> 
>> Thank you,
>> 
>> François
>> 
>> 
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 



More information about the openssh-unix-dev mailing list