System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

PAM limits won't work on SFTP or SCP

 
wobbe
Respected Contributor

PAM limits won't work on SFTP or SCP

I'm trying to setup an SFTP/SCP server that will be used for uploading and downloading files. To prevent file locking I want to limit the SCP/SFTP sessions to one active session per user. But PAM limits.conf doesn't seem to work for SFTP/SCP, allthough it works fine for SSH (Putty) sessions. Am I missing something or is this a limitation of PAM limits?
b.t.w. I'm using Debian 5 with OpenSSH 5.1.
7 REPLIES
Alzhy
Honored Contributor

Re: PAM limits won't work on SFTP or SCP

How are you setting up your limits in PAM?
Hakuna Matata.
wobbe
Respected Contributor

Re: PAM limits won't work on SFTP or SCP

/etc/security/limits

test hard maxlogins 1

/etc/ssh/sshd_conf

UsePam yes

like I said, this works for SSH.


Matti_Kurkela
Honored Contributor

Re: PAM limits won't work on SFTP or SCP

Looks like OpenSSH on Debian 5 does not write SFTP or scp sessions into /var/run/utmp. Since SFTP and scp sessions normally don't have a PTY allocated to them and the utmp entry pretty much requires a TTY/PTY name, this is somewhat understandable.

Apparently the PAM limits module defines a session as "a login entry in the utmp file". That's simple and matches general Unix behavior, but it also means that any sessions with no utmp entry are not counted in PAM session limits.

By looking at the source code of OpenSSH, the utmp file is updated in session.c, in function do_pre_login(). That function in called from function do_exec_pty() only, which is executed if the session has a PTY allocated. If the session has no PTY, the function do_exec_no_pty() is used instead, and thus an utmp entry is not written for the session.

In theory, OpenSSH *could* invent some session-specific identifier in lieu of the PTY name and write an utmp entry using it. (I think some FTP servers do something like this.)
Or it could have a separate tracking system for PTYless sessions. So I would have to say this is mostly a limitation of OpenSSH.

MK
MK
wobbe
Respected Contributor

Re: PAM limits won't work on SFTP or SCP

Thanks for that great explanation MK.
I was wondering if this had to do something with tty since scp/ftp users don't show up when you run the "w" command.

So my logical next question would be; Does anyone know of an sftp server that allows me to enforce these PAM limits correctly or perhaps uses another method to limit the logon count per user to one?

Or perhaps this issue was fixed in Debian 6.
Gives me an good excuse to have a look their latest creation. :)
Alzhy
Honored Contributor

Re: PAM limits won't work on SFTP or SCP

Wobbe,

You can try modding the Secure SHell Daemon in sshd_config and tweak the below parametre:


MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will bedropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.


HTH.
Hakuna Matata.
wobbe
Respected Contributor

Re: PAM limits won't work on SFTP or SCP

Thanks for the suggestion Alzhy but I'm planning to use more than one account.
Alzhy
Honored Contributor

Re: PAM limits won't work on SFTP or SCP

Well -- check if there are other tunables in sshd_config (man sshd_config).
Hakuna Matata.