Le Monday, 3 April 2023, 00:05:25 EDT Damien Miller a écrit : > On Thu, 30 Mar 2023, François Ouellet wrote: > > > Hi, > > > > We need to limit concurrent sftp logins to one per user (because of bad > > client behaviour). Is there any way to achieve this I have overlooked? > > > > It seems it could be possible with pam_limits, if sftp sessions were > > recorded in utmp (a guess from what I found googling around). If I > > configure /etc/security/limits.conf with > > > > testuser hard maxlogins 1 > > > > and connect with ssh, and try a second connection with sftp, the sftp > > fails because there is already one session open. But if I connect with > > sftp and try a second sftp connection, it is allowed. > > > > Is there some way to have sftp connections recorded in utmp? I haven't > > found any reference to this. There are some posts from 10+ years ago > > where others were trying the same thing but there's no reply about how > > to do it. Would it be possible to add this option? > > We've been asked about this a number of times before - the problem is > that utmp is really set up to record interactive logins that have a > TTY/PTY assigned. There is AFAIK no real standard for recording > "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp > and many OS utmp implementation lack fields by which this could be > communicated. > > IIRC we toyed with recording something fake like "sftp" in ut_line > but that caused problems as none of the other tools were set up to > accept it. Is there an archive of the discussion of the problems it brings to the other tools? I'd like to understand the issues. What other tools are impacted? If I don't need them, would it be possible to think about adding an option to enter fake utmp entries for interal-sftp sessions (or any other subsystem, I'm only seeing my own little problem here)? Could I find some code from those tests from some time ago and apply it locally? Was there anything publicly available? A quick glance at the code was not enough for me to see anything obvious that could be done. I still have some (small) hope of achieving what I need with pam_limits and nproc if the fake utmp entry is not possible... Thanks, François _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
