topic Re: PAM limits won't work on SFTP or SCP in Operating System - Linux

PAM limits won't work on SFTP or SCP

wobbe — Thu, 03 Feb 2011 19:40:18 GMT

I'm trying to setup an SFTP/SCP server that will be used for uploading and downloading files. To prevent file locking I want to limit the SCP/SFTP sessions to one active session per user. But PAM limits.conf doesn't seem to work for SFTP/SCP, allthough it works fine for SSH (Putty) sessions. Am I missing something or is this a limitation of PAM limits?
b.t.w. I'm using Debian 5 with OpenSSH 5.1.

Re: PAM limits won't work on SFTP or SCP

Alzhy — Fri, 04 Feb 2011 15:19:37 GMT

How are you setting up your limits in PAM?

Re: PAM limits won't work on SFTP or SCP

wobbe — Fri, 04 Feb 2011 15:35:04 GMT

/etc/security/limits

test hard maxlogins 1

/etc/ssh/sshd_conf

UsePam yes

like I said, this works for SSH.

Re: PAM limits won't work on SFTP or SCP

Matti_Kurkela — Tue, 08 Feb 2011 11:38:55 GMT

Looks like OpenSSH on Debian 5 does not write SFTP or scp sessions into /var/run/utmp. Since SFTP and scp sessions normally don't have a PTY allocated to them and the utmp entry pretty much requires a TTY/PTY name, this is somewhat understandable.

Apparently the PAM limits module defines a session as "a login entry in the utmp file". That's simple and matches general Unix behavior, but it also means that any sessions with no utmp entry are not counted in PAM session limits.

By looking at the source code of OpenSSH, the utmp file is updated in session.c, in function do_pre_login(). That function in called from function do_exec_pty() only, which is executed if the session has a PTY allocated. If the session has no PTY, the function do_exec_no_pty() is used instead, and thus an utmp entry is not written for the session.

In theory, OpenSSH *could* invent some session-specific identifier in lieu of the PTY name and write an utmp entry using it. (I think some FTP servers do something like this.)
Or it could have a separate tracking system for PTYless sessions. So I would have to say this is mostly a limitation of OpenSSH.

MK

Re: PAM limits won't work on SFTP or SCP

wobbe — Tue, 08 Feb 2011 12:31:52 GMT

Thanks for that great explanation MK.
I was wondering if this had to do something with tty since scp/ftp users don't show up when you run the "w" command.

So my logical next question would be; Does anyone know of an sftp server that allows me to enforce these PAM limits correctly or perhaps uses another method to limit the logon count per user to one?

Or perhaps this issue was fixed in Debian 6.
Gives me an good excuse to have a look their latest creation. :)

Re: PAM limits won't work on SFTP or SCP

Alzhy — Tue, 08 Feb 2011 14:37:57 GMT

Wobbe,

You can try modding the Secure SHell Daemon in sshd_config and tweak the below parametre:

MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will bedropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.

HTH.

Re: PAM limits won't work on SFTP or SCP

wobbe — Tue, 08 Feb 2011 15:43:24 GMT

Thanks for the suggestion Alzhy but I'm planning to use more than one account.

Re: PAM limits won't work on SFTP or SCP

Alzhy — Tue, 08 Feb 2011 18:54:41 GMT

Well -- check if there are other tunables in sshd_config (man sshd_config).