On Mon, Apr 3, 2023 at 12:16?AM Damien Miller <djm at mindrot.org>
wrote:>
> On Thu, 30 Mar 2023, Fran?ois Ouellet wrote:
>
> > Hi,
> >
> > We need to limit concurrent sftp logins to one per user (because of
bad
> > client behaviour). Is there any way to achieve this I have
overlooked?
> >
> > It seems it could be possible with pam_limits, if sftp sessions were
> > recorded in utmp (a guess from what I found googling around). If I
> > configure /etc/security/limits.conf with
> >
> > testuser hard maxlogins 1
> >
> > and connect with ssh, and try a second connection with sftp, the sftp
> > fails because there is already one session open. But if I connect
with
> > sftp and try a second sftp connection, it is allowed.
> >
> > Is there some way to have sftp connections recorded in utmp? I
haven't
> > found any reference to this. There are some posts from 10+ years ago
> > where others were trying the same thing but there's no reply about
how
> > to do it. Would it be possible to add this option?
>
> We've been asked about this a number of times before - the problem is
> that utmp is really set up to record interactive logins that have a
> TTY/PTY assigned. There is AFAIK no real standard for recording
> "service logins" (e.g. sftp or SSH command execution w/o TTY) in
utmp
> and many OS utmp implementation lack fields by which this could be
> communicated.
>
> IIRC we toyed with recording something fake like "sftp" in
ut_line
> but that caused problems as none of the other tools were set up to
> accept it.
sftp has some awkward limitations, as does scp. It's why I prefer were
possible to use rsync-over-SSH, and we can restrict the rsync options
quite heavily. It's even possible to chroot wrap, though that toolkit
has not been well maintained.