On Thu, 30 Mar 2023, Fran?ois Ouellet wrote:> Hi, > > We need to limit concurrent sftp logins to one per user (because of bad > client behaviour). Is there any way to achieve this I have overlooked? > > It seems it could be possible with pam_limits, if sftp sessions were > recorded in utmp (a guess from what I found googling around). If I > configure /etc/security/limits.conf with > > testuser hard maxlogins 1 > > and connect with ssh, and try a second connection with sftp, the sftp > fails because there is already one session open. But if I connect with > sftp and try a second sftp connection, it is allowed. > > Is there some way to have sftp connections recorded in utmp? I haven't > found any reference to this. There are some posts from 10+ years ago > where others were trying the same thing but there's no reply about how > to do it. Would it be possible to add this option?We've been asked about this a number of times before - the problem is that utmp is really set up to record interactive logins that have a TTY/PTY assigned. There is AFAIK no real standard for recording "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp and many OS utmp implementation lack fields by which this could be communicated. IIRC we toyed with recording something fake like "sftp" in ut_line but that caused problems as none of the other tools were set up to accept it. -d
Le Monday, 3 April 2023, 00:05:25 EDT Damien Miller a ?crit :> On Thu, 30 Mar 2023, Fran?ois Ouellet wrote: > > > Hi, > > > > We need to limit concurrent sftp logins to one per user (because of bad > > client behaviour). Is there any way to achieve this I have overlooked? > > > > It seems it could be possible with pam_limits, if sftp sessions were > > recorded in utmp (a guess from what I found googling around). If I > > configure /etc/security/limits.conf with > > > > testuser hard maxlogins 1 > > > > and connect with ssh, and try a second connection with sftp, the sftp > > fails because there is already one session open. But if I connect with > > sftp and try a second sftp connection, it is allowed. > > > > Is there some way to have sftp connections recorded in utmp? I haven't > > found any reference to this. There are some posts from 10+ years ago > > where others were trying the same thing but there's no reply about how > > to do it. Would it be possible to add this option? > > We've been asked about this a number of times before - the problem is > that utmp is really set up to record interactive logins that have a > TTY/PTY assigned. There is AFAIK no real standard for recording > "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp > and many OS utmp implementation lack fields by which this could be > communicated. > > IIRC we toyed with recording something fake like "sftp" in ut_line > but that caused problems as none of the other tools were set up to > accept it.Is there an archive of the discussion of the problems it brings to the other tools? I'd like to understand the issues. What other tools are impacted? If I don't need them, would it be possible to think about adding an option to enter fake utmp entries for interal-sftp sessions (or any other subsystem, I'm only seeing my own little problem here)? Could I find some code from those tests from some time ago and apply it locally? Was there anything publicly available? A quick glance at the code was not enough for me to see anything obvious that could be done. I still have some (small) hope of achieving what I need with pam_limits and nproc if the fake utmp entry is not possible... Thanks, Fran?ois
On Mon, Apr 3, 2023 at 12:16?AM Damien Miller <djm at mindrot.org> wrote:> > On Thu, 30 Mar 2023, Fran?ois Ouellet wrote: > > > Hi, > > > > We need to limit concurrent sftp logins to one per user (because of bad > > client behaviour). Is there any way to achieve this I have overlooked? > > > > It seems it could be possible with pam_limits, if sftp sessions were > > recorded in utmp (a guess from what I found googling around). If I > > configure /etc/security/limits.conf with > > > > testuser hard maxlogins 1 > > > > and connect with ssh, and try a second connection with sftp, the sftp > > fails because there is already one session open. But if I connect with > > sftp and try a second sftp connection, it is allowed. > > > > Is there some way to have sftp connections recorded in utmp? I haven't > > found any reference to this. There are some posts from 10+ years ago > > where others were trying the same thing but there's no reply about how > > to do it. Would it be possible to add this option? > > We've been asked about this a number of times before - the problem is > that utmp is really set up to record interactive logins that have a > TTY/PTY assigned. There is AFAIK no real standard for recording > "service logins" (e.g. sftp or SSH command execution w/o TTY) in utmp > and many OS utmp implementation lack fields by which this could be > communicated. > > IIRC we toyed with recording something fake like "sftp" in ut_line > but that caused problems as none of the other tools were set up to > accept it.sftp has some awkward limitations, as does scp. It's why I prefer were possible to use rsync-over-SSH, and we can restrict the rsync options quite heavily. It's even possible to chroot wrap, though that toolkit has not been well maintained.