HPE Community
Operating System - Linux
1752717 Members
5663 Online
108789 Solutions
New Discussion юеВ

Re: PAM limits won't work on SFTP or SCP

 
wobbe
Respected Contributor

тАО02-03-2011 11:40 AM

тАО02-03-2011 11:40 AM

PAM limits won't work on SFTP or SCP

I'm trying to setup an SFTP/SCP server that will be used for uploading and downloading files. To prevent file locking I want to limit the SCP/SFTP sessions to one active session per user. But PAM limits.conf doesn't seem to work for SFTP/SCP, allthough it works fine for SSH (Putty) sessions. Am I missing something or is this a limitation of PAM limits?
b.t.w. I'm using Debian 5 with OpenSSH 5.1.
0 Kudos
Reply
7 REPLIES 7
Alzhy
Honored Contributor

тАО02-04-2011 07:19 AM

тАО02-04-2011 07:19 AM

Re: PAM limits won't work on SFTP or SCP

How are you setting up your limits in PAM?
Hakuna Matata.
0 Kudos
Reply
wobbe
Respected Contributor

тАО02-04-2011 07:35 AM

тАО02-04-2011 07:35 AM

Re: PAM limits won't work on SFTP or SCP

/etc/security/limits

test hard maxlogins 1

/etc/ssh/sshd_conf

UsePam yes

like I said, this works for SSH.


0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО02-08-2011 03:38 AM

тАО02-08-2011 03:38 AM

Re: PAM limits won't work on SFTP or SCP

Looks like OpenSSH on Debian 5 does not write SFTP or scp sessions into /var/run/utmp. Since SFTP and scp sessions normally don't have a PTY allocated to them and the utmp entry pretty much requires a TTY/PTY name, this is somewhat understandable.

Apparently the PAM limits module defines a session as "a login entry in the utmp file". That's simple and matches general Unix behavior, but it also means that any sessions with no utmp entry are not counted in PAM session limits.

By looking at the source code of OpenSSH, the utmp file is updated in session.c, in function do_pre_login(). That function in called from function do_exec_pty() only, which is executed if the session has a PTY allocated. If the session has no PTY, the function do_exec_no_pty() is used instead, and thus an utmp entry is not written for the session.

In theory, OpenSSH *could* invent some session-specific identifier in lieu of the PTY name and write an utmp entry using it. (I think some FTP servers do something like this.)
Or it could have a separate tracking system for PTYless sessions. So I would have to say this is mostly a limitation of OpenSSH.

MK
MK
0 Kudos
Reply
wobbe
Respected Contributor

тАО02-08-2011 04:31 AM

тАО02-08-2011 04:31 AM

Re: PAM limits won't work on SFTP or SCP

Thanks for that great explanation MK.
I was wondering if this had to do something with tty since scp/ftp users don't show up when you run the "w" command.

So my logical next question would be; Does anyone know of an sftp server that allows me to enforce these PAM limits correctly or perhaps uses another method to limit the logon count per user to one?

Or perhaps this issue was fixed in Debian 6.
Gives me an good excuse to have a look their latest creation. :)
0 Kudos
Reply
Alzhy
Honored Contributor

тАО02-08-2011 06:37 AM

тАО02-08-2011 06:37 AM

Re: PAM limits won't work on SFTP or SCP

Wobbe,

You can try modding the Secure SHell Daemon in sshd_config and tweak the below parametre:


MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will bedropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.


HTH.
Hakuna Matata.
0 Kudos
Reply
wobbe
Respected Contributor

тАО02-08-2011 07:43 AM

тАО02-08-2011 07:43 AM

Re: PAM limits won't work on SFTP or SCP

Thanks for the suggestion Alzhy but I'm planning to use more than one account.
0 Kudos
Reply
Alzhy
Honored Contributor

тАО02-08-2011 10:54 AM

тАО02-08-2011 10:54 AM

Re: PAM limits won't work on SFTP or SCP

Well -- check if there are other tunables in sshd_config (man sshd_config).
Hakuna Matata.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.