On 30.03.23 22:43, François Ouellet wrote:
We need to limit concurrent sftp logins to one per user (because of bad client behaviour). Is there any way to achieve this I have overlooked?
What authentication method(s) do your users use?On our Internet-facing SFTP server, by default (few exceptions), we accept only pubkey auth and require users to (un)install pubkeys through us. In order to keep that latter out of users' hands, we use AuthorizedKeysCommand (rather than AuthorizedKeysFile) pointing to a little shell script (that has to look up and copy the acceptable pubkeys for the user to stdout). Inserting a "ps" to look for ongoing logins of the same user, and having the script exit without any output if found, should be easy ...
PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication no Subsystem sftp internal-sftp
[...]
Match group JUST-SFTP_USERS_GROUP
ChrootDirectory %h
[...]
ForceCommand internal-sftp -l INFO -u 0077
[...]
AuthorizedKeysCommand AKC_SCRIPT
AuthorizedKeysCommandUser AKC_USER
$ cat AKC_SCRIPT #!/bin/sh
[...]
MANDANT="$1"
if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then
# Unsupported characters in username. Refuse to work.
$LOG.warning "Invalid username: $MANDANT"
exit 0
fi
[...]
if [ -r "$MAIN_FILE" ]; then
MAIN=`grep -c '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE"`
grep '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE" | sed -e 's/^ *#'"$MANDANT"'# *//'
fi
[...]
exit 0
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
