On Mon, Apr 3, 2023 at 12:16 AM Damien Miller <djm@xxxxxxxxxxx> wrote: > > On Thu, 30 Mar 2023, François Ouellet wrote: > > > Hi, > > > > We need to limit concurrent sftp logins to one per user (because of bad > > client behaviour). Is there any way to achieve this I have overlooked? > > > > It seems it could be possible with pam_limits, if sftp sessions were > > recorded in utmp (a guess from what I found googling around). If I > > configure /etc/security/limits.conf with > > > > testuser hard maxlogins 1 > > > > and connect with ssh, and try a second connection with sftp, the sftp > > fails because there is already one session open. But if I connect with > > sftp and try a second sftp connection, it is allowed. > > > > Is there some way to have sftp connections recorded in utmp? I haven't > > found any reference to this. There are some posts from 10+ years ago > > where others were trying the same thing but there's no reply about how > > to do it. Would it be possible to add this option? > > We've been asked about this a number of times before - the problem is > that utmp is really set up to record interactive logins that have a > TTY/PTY assigned. There is AFAIK no real standard for recording > "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp > and many OS utmp implementation lack fields by which this could be > communicated. > > IIRC we toyed with recording something fake like "sftp" in ut_line > but that caused problems as none of the other tools were set up to > accept it. sftp has some awkward limitations, as does scp. It's why I prefer were possible to use rsync-over-SSH, and we can restrict the rsync options quite heavily. It's even possible to chroot wrap, though that toolkit has not been well maintained. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
