I recently had a user (vendor) create 1000+ simultaneous sftp connections
(over 4 hours) into their chroot jail. Unfortunately, 1000 connections was
almost enough to crash my rhel 5.2 server. I've decided to
use /etc/security/limits.conf to limit the number of ssh/sftp connections
for a user. Unfortunately, I'm finding those rules only work for users
that don't use rssh. I must be missing something, but I can't figure it
out.
What am I missing? I did try and put the limits.conf file and sshd_config
file in the jail...that wasn't successful.
Here were my server changes:
I added:
UsePAM yes
ChallengeResponseAuthentication no
to /etc/ssh/ssh_config
Then added the following line to /etc/security/limits.conf
user1 hard maxlogins 5
I tested this works with non-rssh users over ssh or sftp. However, it
doesn't work with rssh users.
If it helps, here is what my jail looks like.
r...@conint01:/data/jail> ls -lR user1
user1:
total 40
drwxr-xr-x 2 root root 4096 Apr 3 2008 dev
drwxr-xr-x 2 root root 4096 Apr 3 2008 etc
drwxr-x--- 5 user1 user1grp 4096 Apr 22 09:43 home
drwxr-xr-x 2 root root 4096 Oct 15 2007 lib64
drwxr-xr-x 6 root root 4096 Oct 15 2007 usr
user1/dev:
total 4
crw-rw-rw- 1 root root 1, 3 Apr 3 2008 null
user1/etc:
total 8
-rw-r--r-- 1 root root 90 Apr 21 09:28 passwd
user1/home:
total 8
drwxrws--- 2 user1 user1grp 4096 Apr 22 07:49 inbound
user1/home/inbound:
total 0
user1/lib64:
total 3608
-rwxr-xr-x 1 root root 130448 Oct 15 2007 ld-2.5.so
-rwxr-xr-x 1 root root 130448 Oct 15 2007 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 9976 Oct 15 2007 libcom_err.so.2.
-rwxr-xr-x 1 root root 1326168 Oct 15 2007 libcrypto.so.6
-rwxr-xr-x 1 root root 30920 Oct 15 2007 libcrypt.so.1
-rwxr-xr-x 1 root root 1678480 Oct 15 2007 libc.so.6
-rwxr-xr-x 1 root root 23520 Oct 15 2007 libdl.so.2
-rwxr-xr-x 1 root root 109824 Oct 15 2007 libnsl.so.1.
-rwxr-xr-x 1 root root 53880 Oct 15 2007 libnss_files.so.2
-rwxr-xr-x 1 root root 92728 Oct 15 2007 libresolv.so.2
-rwxr-xr-x 1 root root 18312 Oct 15 2007 libutil.so.1.
user1/usr:
total 32
drwxr-xr-x 2 root root 4096 Oct 15 2007 bin
drwxr-xr-x 2 root root 4096 Oct 15 2007 lib64
drwxr-xr-x 3 root root 4096 Oct 15 2007 libexec
drwxr-xr-x 4 root root 4096 Oct 15 2007 local
user1/usr/bin:
total 64
-rwxr-xr-x 1 root root 53368 Oct 15 2007 scp
user1/usr/lib64:
total 1088
-rwxr-xr-x 1 root root 174072 Oct 15 2007 libgssapi_krb5.so.2.
-rwxr-xr-x 1 root root 153008 Oct 15 2007 libk5crypto.so.3
-rwxr-xr-x 1 root root 559640 Oct 15 2007 libkrb5.so.3
-rwxr-xr-x 1 root root 32200 Oct 15 2007 libkrb5support.so.0.
-rwxr-xr-x 1 root root 53880 Oct 15 2007 libnss_files.so
-rwxr-xr-x 1 root root 85928 Oct 15 2007 libz.so.1
user1/usr/libexec:
total 8
drwxr-xr-x 2 root root 4096 Oct 15 2007 openssh
user1/usr/libexec/openssh:
total 52
-rwxr-xr-x 1 root root 47616 Oct 15 2007 sftp-server
user1/usr/local:
total 16
drwxr-xr-x 2 root root 4096 Oct 15 2007 bin
drwxr-xr-x 2 root root 4096 Oct 15 2007 libexec
user1/usr/local/bin:
total 72
-rwxr-xr-x 1 root root 63052 Oct 15 2007 rssh
user1/usr/local/libexec:
total 72
-rwsr-xr-x 1 root root 63680 Oct 15 2007 rssh_chroot_helper.
Notice:
This communication is an electronic communication within the meaning of the
Electronic Communications Privacy Act, 18 U.S.C. ยง 2510. Its disclosure is
strictly limited to the recipient(s) intended by the sender of this message.
This transmission and any attachments may contain proprietary, confidential,
attorney-client privileged information and/or attorney work product. If you are
not the intended recipient, any disclosure, copying, distribution, reliance on,
or use of any of the information contained herein is STRICTLY PROHIBITED.
Please destroy the original transmission and its attachments without reading or
saving in any matter and confirm by return email.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
rssh-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
