[quote]
iamvoyager wrote:
Denial of service attacks? How? I imagine that, if the capability I am looking for exists, it would only be applicable to a successful login attempt.[/quote]
Denial of service attacks are not always intentional and I just wanted you to consider the possibility that you might lock yourself out of the server if you went ahead and restricted logins to 1. I did misread the original post as meaning ssh and only one user logged on at a time thus I had in mind someone ssh'ing to your machine, forgetting that they were logged in and then going to lunch/camping for the weekend etc.
Suggest that you look at /etc/security/limits.conf and the maxlogins keyword if you want to go ahead with this.
Possible to limit to one connection per user for ssh/sftp?
-
DennyCrane
- Posts: 33
- Joined: 2009/02/18 14:02:50
Re: Possible to limit to one connection per user for ssh/sftp?
hmm ... this looks like it's what I want, but it doesn't seem to have any effect, and I can't find complete instructions anywhere to be entirely sure I'm doing all that I need to. Am I supposed to restart sshd after making the change? Restart something else? I've tried dozens of combinations that do not seem to have any effect, regardless of restarting sshd. The primary configuration I've tried is as follows:
h107l2za24ctssj7 hard maxlogins 1
(h107l2za24ctssj7 is a specific user account.)
EDIT:
Also, the documentation is vague, and while I looked for clarification on various points, there are all sorts of people who are stating very matter-of-factly that one thing means such-and-such, while the next person says very matter-of-factly it means something else. For example, no one can seem to agree if 'maxlogins' means the number of failed login attempts before locking the user out, the number of login attempts allowed ever, or the number of concurrent logins allowed per user. Boy is this ever frustrating :)
Nate
h107l2za24ctssj7 hard maxlogins 1
(h107l2za24ctssj7 is a specific user account.)
EDIT:
Also, the documentation is vague, and while I looked for clarification on various points, there are all sorts of people who are stating very matter-of-factly that one thing means such-and-such, while the next person says very matter-of-factly it means something else. For example, no one can seem to agree if 'maxlogins' means the number of failed login attempts before locking the user out, the number of login attempts allowed ever, or the number of concurrent logins allowed per user. Boy is this ever frustrating :)
Nate
Re: Possible to limit to one connection per user for ssh/sftp?
[quote]
iamvoyager wrote:
Also, the documentation is vague, ...[/quote]
I just checked man limits.conf, but I don't find anything vague in there. In fact, even the /etc/security/limits.conf is pretty self documenting:
[code]#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file[/code]
Your mistake is probably to deviate from the example (look at the bottom @student line). If you just add a line
[code]h107l2za24ctssj7 - maxlogins 1[/code]
you should find things work as desired.
I just did a quick test, and it limits the number of logins to what you specify.
I used 2 and could have two sessions, ssh, winscp, or mixed. Never more than 2 sessions.
I used to separate the columns, not . Not sure if that would make a difference.
All this assumes that you have a line
[code]session required pam_limits.so[/code]
in /etc/pam.d/system-auth-ac and sshd is configured to use pam.
iamvoyager wrote:
Also, the documentation is vague, ...[/quote]
I just checked man limits.conf, but I don't find anything vague in there. In fact, even the /etc/security/limits.conf is pretty self documenting:
[code]#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file[/code]
Your mistake is probably to deviate from the example (look at the bottom @student line). If you just add a line
[code]h107l2za24ctssj7 - maxlogins 1[/code]
you should find things work as desired.
I just did a quick test, and it limits the number of logins to what you specify.
I used 2 and could have two sessions, ssh, winscp, or mixed. Never more than 2 sessions.
I used to separate the columns, not . Not sure if that would make a difference.
All this assumes that you have a line
[code]session required pam_limits.so[/code]
in /etc/pam.d/system-auth-ac and sshd is configured to use pam.
Re: Possible to limit to one connection per user for ssh/sftp?
Once you get this working I would set it up so that everyone you want to restrict to one login is in a specific group and then put a line in that limits that group - e.g.:
@onelogin - maxlogins 1
and then make sure that you have at least one user who can login who is not part of that group! Now you don't have to fiddle about editing limits.conf every time you want to add a username to the list, you just add them to the onelogin group.
@onelogin - maxlogins 1
and then make sure that you have at least one user who can login who is not part of that group! Now you don't have to fiddle about editing limits.conf every time you want to add a username to the list, you just add them to the onelogin group.
-
DennyCrane
- Posts: 33
- Joined: 2009/02/18 14:02:50
Re: Possible to limit to one connection per user for ssh/sftp?
[quote]
r_hartman wrote:
[quote]
iamvoyager wrote:
Also, the documentation is vague, ...[/quote]
I just checked man limits.conf, but I don't find anything vague in there. In fact, even the /etc/security/limits.conf is pretty self documenting:
[code]#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file[/code]
Your mistake is probably to deviate from the example (look at the bottom @student line). If you just add a line
[code]h107l2za24ctssj7 - maxlogins 1[/code]
you should find things work as desired.
I just did a quick test, and it limits the number of logins to what you specify.
I used 2 and could have two sessions, ssh, winscp, or mixed. Never more than 2 sessions.
I used to separate the columns, not . Not sure if that would make a difference.
All this assumes that you have a line
[code]session required pam_limits.so[/code]
in /etc/pam.d/system-auth-ac and sshd is configured to use pam.[/quote]
Yes, all of that is properly configured.
Through additional troubleshooting, I've discovered that:
1) With a first instance connecting via straight SSH, a second instance connecting via straight SSH will be immediately disconnected.
2) With a first instance connecting via straight SSH, a second instance connecting via SFTP will be immediately disconnected.
3) With a first instance connecting via SFTP, a second instance connecting via either SSH or SFTP will be unaffected.
I do not understand why this is happening. The third case is the one that I need to work, and it's the one that doesn't for some reason....
r_hartman wrote:
[quote]
iamvoyager wrote:
Also, the documentation is vague, ...[/quote]
I just checked man limits.conf, but I don't find anything vague in there. In fact, even the /etc/security/limits.conf is pretty self documenting:
[code]#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file[/code]
Your mistake is probably to deviate from the example (look at the bottom @student line). If you just add a line
[code]h107l2za24ctssj7 - maxlogins 1[/code]
you should find things work as desired.
I just did a quick test, and it limits the number of logins to what you specify.
I used 2 and could have two sessions, ssh, winscp, or mixed. Never more than 2 sessions.
I used to separate the columns, not . Not sure if that would make a difference.
All this assumes that you have a line
[code]session required pam_limits.so[/code]
in /etc/pam.d/system-auth-ac and sshd is configured to use pam.[/quote]
Yes, all of that is properly configured.
Through additional troubleshooting, I've discovered that:
1) With a first instance connecting via straight SSH, a second instance connecting via straight SSH will be immediately disconnected.
2) With a first instance connecting via straight SSH, a second instance connecting via SFTP will be immediately disconnected.
3) With a first instance connecting via SFTP, a second instance connecting via either SSH or SFTP will be unaffected.
I do not understand why this is happening. The third case is the one that I need to work, and it's the one that doesn't for some reason....
Re: Possible to limit to one connection per user for ssh/sftp?
[quote]Through additional troubleshooting, I've discovered that:
1) With a first instance connecting via straight SSH, a second instance connecting via straight SSH will be immediately disconnected.
2) With a first instance connecting via straight SSH, a second instance connecting via SFTP will be immediately disconnected.
3) With a first instance connecting via SFTP, a second instance connecting via either SSH or SFTP will be unaffected.
I do not understand why this is happening. The third case is the one that I need to work, and it's the one that doesn't for some reason....[/quote]
Hmmm.... I just confirmed that.
I suspect this is because sftp does not allocate a 'real' session.
When I stick my limits to 1, I can set up a single PuTTY session only, but once I tell PuTTY to "Don't start a shell or command at all" (under SSH) I can set up as many sessions as I like, (for port rerouting and stuff), i.e. same as with sftp. I've even tried with rssh, but same difference :-x
I suspect limits watches the number of login shells and applies its settings there. As sftp does not allocate a shell, it never satisfies the limits criteria.
Setting up svn might be faster and easier after all...
1) With a first instance connecting via straight SSH, a second instance connecting via straight SSH will be immediately disconnected.
2) With a first instance connecting via straight SSH, a second instance connecting via SFTP will be immediately disconnected.
3) With a first instance connecting via SFTP, a second instance connecting via either SSH or SFTP will be unaffected.
I do not understand why this is happening. The third case is the one that I need to work, and it's the one that doesn't for some reason....[/quote]
Hmmm.... I just confirmed that.
I suspect this is because sftp does not allocate a 'real' session.
When I stick my limits to 1, I can set up a single PuTTY session only, but once I tell PuTTY to "Don't start a shell or command at all" (under SSH) I can set up as many sessions as I like, (for port rerouting and stuff), i.e. same as with sftp. I've even tried with rssh, but same difference :-x
I suspect limits watches the number of login shells and applies its settings there. As sftp does not allocate a shell, it never satisfies the limits criteria.
Setting up svn might be faster and easier after all...
-
DennyCrane
- Posts: 33
- Joined: 2009/02/18 14:02:50
Re: Possible to limit to one connection per user for ssh/sftp?
[quote]
r_hartman wrote:
Setting up svn might be faster and easier after all...[/quote]
It does not matter what would be fastest and easiest for me. SVN has already been decided against. If anyone has any (non version control) alternative suggestion or any other potential solution regarding the topic of this thread, please let me know. If there are no alternative suggestions, it's an sshd option or it's nothing.
Thank you,
Nate
r_hartman wrote:
Setting up svn might be faster and easier after all...[/quote]
It does not matter what would be fastest and easiest for me. SVN has already been decided against. If anyone has any (non version control) alternative suggestion or any other potential solution regarding the topic of this thread, please let me know. If there are no alternative suggestions, it's an sshd option or it's nothing.
Thank you,
Nate