Hi Dimitry,
Just came across a situation where I can't limit SFTP max connections on a per user (not per IP) basis without resorting to using wrappers. Not sure if the old SCP actually logs in (sorry haven't checked) but the SFTP that I use (latest RHEL7) doesn't honour limits.conf (maxlogins or nproc) because it doesn't actually log in - it's just a protocol and a subsystem at that. I currently have a situation where system SSH resources can be exhausted by overzealous use by a single SFTP user. Do the newer versions of OpenSSH come with a better way of limiting SFTP sessions on a per user basis just like the classic FTPs of old?
I already have MaxSessions in sshd_config set high for managing SSHFS mounts which works fine, but it works on a connection basis and I have full control of both ends. I have little control over client SFTP volume requests.
I would appreciate it if you can allay my concerns by letting me know if switching to using the underlying SFTP protocol for SCP will allow per user connection limits to be applied which I feel are very important. Hope you have the answer at hand.
Best regards,
Arthur.
On Mon, 4 Oct 2021 at 19:49, Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote:
_______________________________________________Dear Richard,--On Mon, Oct 4, 2021 at 10:23 AM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:On Wed, Sep 29, 2021 at 04:48:43PM +0200, Dmitry Belyavskiy wrote:
> Dear colleagues,
>
> I recently added OpenSSH 8.7p1 to rawhide.
> This version includes implementation of the SFTP protocol as the main transfer
> protocol for the scp utility. In upstream, the SCP protocol is used by default
> in the scp utility. The upcoming versions 8.9p1+ (version 8.8p1 is mostly a
> security release) are expected to use SFTP protocol by default. This behavior
> (SFTP as a default transfer protocol for scp utility) is backported to rawhide.
>
> The same approach is planned for RHEL 9 GA,
>
> Please let me know if you have any questions/problems.
Does this change the quoting of scp paths with spaces etc? The
quoting of scp is insane but at least it's a known quantity, and we
baked it into virt-p2v.Yes. There are changes in the quoting, documented inIf you still need an old quoting, AFAIK, you should explicitly specify the scp protocol via -O command-line option.Dmitry Belyavskiy
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure