I'm working from modified 5.0p1 codebase. What I'm looking for is a mechanism to limit the number of simultaneous connections on a per-user/IP basis. That is, disallow multiple simultaneous logins/authentication of the same user from different IP addresses. e.g.: fred from 10.1.1.1 - accept fred from 10.1.1.2 -- reject while fred is still connected from 10.1.1.1 fred from 10.1.1.1 - OK (same IP) --- all freds log out fred from 10.1.1.2 -- OK (fred not logged in) Is this doable, or not? I realize that the sshd architecture may make this difficult or impossible. ---- Scott Neugroschl
Why do you want to do this! This is totaly against all praxis in a Unix environment! Users will bee VERY anyoyed. If they log in from home and then go to some other place and try to login and the server says "rejected" they will just get mad. (In my opinion). And mostly because they don't understand the logic in this. A unix is a multiuser, mutli session environment. Scrap this idea! GH 2010/4/15 Scott Neugroschl <scott_n at xypro.com>:> I'm working from modified 5.0p1 codebase. > > What I'm looking for is a mechanism to limit the number of simultaneous > connections on a per-user/IP basis. > That is, disallow multiple simultaneous logins/authentication of the > same user from different IP addresses. > > e.g.: > > fred from 10.1.1.1 - accept > fred from 10.1.1.2 -- reject while fred is still connected from 10.1.1.1 > fred from 10.1.1.1 - OK (same IP) > --- all freds log out > fred from 10.1.1.2 -- OK (fred not logged in) > > Is this doable, or not? ?I realize that the sshd architecture may make > this difficult or impossible. > > ---- > Scott Neugroschl > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- gorhas at gmail.com Mob: 070-5530148
because I have a customer who requested it?> -----Original Message----- > From: Goran Hasse [mailto:gorhas at gmail.com] > Sent: Thursday, April 15, 2010 1:24 PM > To: Scott Neugroschl > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Limit number of connections per user? > > Why do you want to do this! This is totaly against all > praxis in a Unix environment! Users will bee VERY anyoyed. If they log > in from > home and then go to some other place and try to login and the server > says "rejected" > they will just get mad. (In my opinion). And mostly because they don't > understand > the logic in this. A unix is a multiuser, mutli session environment. > Scrap this idea! > > GH > > 2010/4/15 Scott Neugroschl <scott_n at xypro.com>: > > I'm working from modified 5.0p1 codebase. > > > > What I'm looking for is a mechanism to limit the number of > simultaneous > > connections on a per-user/IP basis. > > That is, disallow multiple simultaneous logins/authentication of the > > same user from different IP addresses. > > > > e.g.: > > > > fred from 10.1.1.1 - accept > > fred from 10.1.1.2 -- reject while fred is still connected from > 10.1.1.1 > > fred from 10.1.1.1 - OK (same IP) > > --- all freds log out > > fred from 10.1.1.2 -- OK (fred not logged in) > > > > Is this doable, or not? ?I realize that the sshd architecture may > make > > this difficult or impossible. > > > > ---- > > Scott Neugroschl > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > -- > gorhas at gmail.com > Mob: 070-5530148
On Thu, 2010-04-15 at 22:24 +0200, Goran Hasse wrote:> If they log in from > home and then go to some other place and try to login and the server > says "rejected"I think this is simultaneous access from different IPs, when people use TOR for example. This could be a nice security feature.
On Thu, 15 Apr 2010, Scott Neugroschl wrote:> I'm working from modified 5.0p1 codebase. > > What I'm looking for is a mechanism to limit the number of > simultaneous connections on a per-user/IP basis. That is, disallow > multiple simultaneous logins/authentication of the same user from > different IP addresses.There isn't any way to do this at present and adding the ability would be a little tricky. The master server would need to maintain some state for each connection that is active so it can apply the rules. I have vague plans to get the listening server maintaining similar state for another reason (to track and act on frequent abnormal terminations), so the infrastructure might happen eventually. -d