On Thu, 30 Mar 2023, François Ouellet wrote: > Hi, > > We need to limit concurrent sftp logins to one per user (because of bad > client behaviour). Is there any way to achieve this I have overlooked? > > It seems it could be possible with pam_limits, if sftp sessions were > recorded in utmp (a guess from what I found googling around). If I > configure /etc/security/limits.conf with > > testuser hard maxlogins 1 > > and connect with ssh, and try a second connection with sftp, the sftp > fails because there is already one session open. But if I connect with > sftp and try a second sftp connection, it is allowed. > > Is there some way to have sftp connections recorded in utmp? I haven't > found any reference to this. There are some posts from 10+ years ago > where others were trying the same thing but there's no reply about how > to do it. Would it be possible to add this option? We've been asked about this a number of times before - the problem is that utmp is really set up to record interactive logins that have a TTY/PTY assigned. There is AFAIK no real standard for recording "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp and many OS utmp implementation lack fields by which this could be communicated. IIRC we toyed with recording something fake like "sftp" in ut_line but that caused problems as none of the other tools were set up to accept it. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
