Le Friday, 31 March 2023, 17:47:14 EDT John-Mark Gurney a écrit : > hvjunk wrote this message on Thu, Mar 30, 2023 at 23:12 +0200: > > I've been battling similar issues, and the only methods I've found (with sftp) was to use > > software like pureftd or crushftp (using crushftp lately as production) that does handle these > > issues "out of the box" > > Other than that, I'd expect you'll need to write your own PAM modules to track the accounting part to > > enforce the limits yourself, as you'll need to account for the sftp different from the terminal sessions > > You could use an sftp-server wrapper script that creates a lock file/dir > or another way to detect if a connection is already present, and then > force the use of that script via the sshd_config Subsystem directive. I'm using the internal-sftp server, because it's a chrooted setup. Not sure this can easily be done with this setup Thanks, François > > > > On 30 Mar 2023, at 22:43, François Ouellet <franco@xxxxxxxxxxxx> wrote: > > > > > > Hi, > > > > > > We need to limit concurrent sftp logins to one per user (because of bad > > > client behaviour). Is there any way to achieve this I have overlooked? > > > > > > It seems it could be possible with pam_limits, if sftp sessions were > > > recorded in utmp (a guess from what I found googling around). If I > > > configure /etc/security/limits.conf with > > > > > > testuser hard maxlogins 1 > > > > > > and connect with ssh, and try a second connection with sftp, the sftp > > > fails because there is already one session open. But if I connect with > > > sftp and try a second sftp connection, it is allowed. > > > > > > Is there some way to have sftp connections recorded in utmp? I haven't > > > found any reference to this. There are some posts from 10+ years ago > > > where others were trying the same thing but there's no reply about how > > > to do it. Would it be possible to add this option? > > > > > > We're using ChrootDirectory and ForceCommand internal-sftp, if it makes > > > a difference (I've tried without and had the same results). > > > > > > Tried this on Debian bookworm's openssh-server (9.2). The changelog > > > from 9.3 does not mention anything related to this. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
