Re: sftp and utmp

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 30.03.23 22:43, François Ouellet wrote:
We need to limit concurrent sftp logins to one per user (because of bad
client behaviour).  Is there any way to achieve this I have overlooked?

What authentication method(s) do your users use?

On our Internet-facing SFTP server, by default (few exceptions), we accept only pubkey auth and require users to (un)install pubkeys through us. In order to keep that latter out of users' hands, we use AuthorizedKeysCommand (rather than AuthorizedKeysFile) pointing to a little shell script (that has to look up and copy the acceptable pubkeys for the user to stdout). Inserting a "ps" to look for ongoing logins of the same user, and having the script exit without any output if found, should be easy ...

PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
Subsystem       sftp    internal-sftp
        ChrootDirectory %h
        ForceCommand internal-sftp -l INFO -u 0077
        AuthorizedKeysCommand AKC_SCRIPT
        AuthorizedKeysCommandUser AKC_USER

if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then
        # Unsupported characters in username. Refuse to work.
        $LOG.warning "Invalid username: $MANDANT"
        exit 0
if [ -r "$MAIN_FILE" ]; then
        MAIN=`grep -c '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE"`
        grep '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE" | sed -e 's/^ *#'"$MANDANT"'# *//'
exit 0
Kind regards,
Jochen Bern

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux