Possible to limit to one connection per user for ssh/sftp?

DennyCrane · Post by **DennyCrane** » 2009/12/03 15:10:54

Is it possible to limit each user so that only one can connect via each username for ssh/sftp? I work with a small company where there aren't really enough of us to justify using a revision control system, but we don't want to accidentally step on each other's toes, so we'd like to try simply preventing more than one person from accessing a given domain at once.

Post by **TrevorH** » 2009/12/03 15:55:00

Sounds like a recipe for a denial of service attack to me!

If you're a small company then you could always try speaking to each other :lol:

But seriously, I've worked in shops with 2 developers and they still used SVN to control their source. Small isn't a justification for not using source control - for a start you can then back up the svn repo off site easily and also use it as a method of disaster recovery.

DennyCrane · Post by **DennyCrane** » 2009/12/03 16:41:03

I appreciate your reply, however we will not be going with revision control at this time; it is not currently an option for various reasons. Also, we are not all located in the same office, and it is not practical to tell everyone every file we edit throughout the day. Generally, we are working on separate domains, but occasionally two of us will unwittingly collide while making edits.

We already have disaster recovery methods in place.

Denial of service attacks? How? I imagine that, if the capability I am looking for exists, it would only be applicable to a successful login attempt.

pjwelsh · Post by **pjwelsh** » 2009/12/03 19:29:44

One of the denials is via dropped internet connection. Effectively leaving an open session with no attached user... But this concept brings me to the suggestion... "screen". Agree to use a predetermined "sessionname" from the screen command:
screen -S adminscreen #for the creation and
screen -r adminscreen #for the use

DennyCrane · Post by **DennyCrane** » 2009/12/03 20:09:53

[quote]
pjwelsh wrote:
One of the denials is via dropped internet connection. Effectively leaving an open session with no attached user...[/quote]

That's not an "attack" though, and since all of our users have reliable connections, a rare time-out of 90-120 seconds is not a big deal.

[quote]But this concept brings me to the suggestion... "screen". Agree to use a predetermined "sessionname" from the screen command:
screen -S adminscreen #for the creation and
screen -r adminscreen #for the use[/quote]

I'm not sure I understand your suggestion, but I'm pretty sure it will not work in our situation, since all users are connecting via SFTP using FileZilla, which does not appear to have any capability to make use of a session name. What I'm hoping to find is a server-side solution which will simply deny a connection if the user is already signed in. I am surprised if this option does not exist.

Thanks for the replies.

pjwelsh · Post by **pjwelsh** » 2009/12/03 20:47:20

[quote]
iamvoyager wrote:
I'm not sure I understand your suggestion, but I'm pretty sure it will not work in our situation, since all users are connecting via SFTP[/quote]

I took ssh as an option from the title of "limit to one connection per user for ssh..."

DennyCrane · Post by **DennyCrane** » 2009/12/03 22:24:29

Right, SFTP goes through SSH. Ultimately, what I meant was that I am hoping there is a way for the SSH daemon to control this, not some other program. Sounds like I'm out of luck.

michaelnel · Post by **michaelnel** » 2009/12/03 23:07:00

I'm thinking you might be able to do something with a combination of netstat and iptables, but I don't know how. Something like periodically using netstat to see who is connected on port 22, and putting a block rule that maintains existing connections for that source ip but blocks new connections on port 22. Then when they are no longer connected, remove the rule.

It could be done, but it's not trivial.

Ooops. You said one connection per USER, and iptables has no conception of users, so it would be one connection per IP.

DennyCrane · Post by **DennyCrane** » 2009/12/03 23:20:24

[quote]
michaelnel wrote:
Ooops. You said one connection per USER, and iptables has no conception of users, so it would be one connection per IP.[/quote]

Yeah, the end-users should be able to make multiple connections from a single IP (especially since some will have the same IP), but no two end-users should be able to connect using the same user account on the server.

Post by **TrevorH** » 2009/12/04 01:33:44

[quote]
iamvoyager wrote:
Denial of service attacks? How? I imagine that, if the capability I am looking for exists, it would only be applicable to a successful login attempt.[/quote]

Denial of service attacks are not always intentional and I just wanted you to consider the possibility that you might lock yourself out of the server if you went ahead and restricted logins to 1. I did misread the original post as meaning ssh and only one user logged on at a time thus I had in mind someone ssh'ing to your machine, forgetting that they were logged in and then going to lunch/camping for the weekend etc.

Suggest that you look at /etc/security/limits.conf and the maxlogins keyword if you want to go ahead with this.

CentOS