Re: rssh with /etc/security/limits.conf

[RKTye]

Thank you very much for your reply.

I will try sort out which pam libraries to move next.

I retested with non-rssh users to verify my original findings were correct.
They were.

myusern...@server2:/home/myusername-> sftp server1
Connecting to server1...
myusern...@server1's password:
Received message too long 1466004078>
myusern...@server2:/home/myusername->

The "Received message too long 1466004078" error is all I get, but it won't
let me in.  I'm considering that a successful "block" - but that might just
be ignorance on my part.

If I try ssh, instead of sftp, I see this:

myusern...@server2:/home/myusername-> ssh server1
myusern...@server1's password:
Too many logins for 'myusername'.
Last login: Fri Apr 24 07:02:44 2009 from 172.16.X.X
Connection to server1 closed.
myusern...@server2:/home/myusername->


Notice the “Too many logins for ‘myusername’ error.





                                                                                
                                                          
  From:       Derek Martin <c...@pizzashack.org>                                
                                                          
                                                                                
                                                          
  To:         rk...@hormel.com                                                  
                                                          
                                                                                
                                                          
  Cc:         rssh-discuss@lists.sourceforge.net                                
                                                          
                                                                                
                                                          
  Date:       04/23/2009 06:15 PM                                               
                                                          
                                                                                
                                                          
  Subject:    Re: rssh with /etc/security/limits.conf                           
                                                          
                                                                                
                                                          





On Thu, Apr 23, 2009 at 11:35:06AM -0500, rk...@hormel.com wrote:
> I've decided to use /etc/security/limits.conf to limit the number of
> ssh/sftp connections for a user.  Unfortunately, I'm finding those
> rules only work for users that don't use rssh.  I must be missing
> something, but I can't figure it out.
[...]
> I tested this works with non-rssh users over ssh or sftp.  However, it
> doesn't work with rssh users.

You're quite sure it works with *sftp* users who don't use rssh?  My
first guess would have been that these sessions are not counted as
logins, as in many ways they often are not (no pseudo tty allocated,
no entry in wtmp, etc.).  I would fully expect this not to work at
all...

Assuming they do really work, I can't immediately see any reason why
it wouldn't work for rssh.  Basically rssh takes the place of the
user's shell, and by that point in the login process, everything to do
with logging in has already happened.  It's true that rssh is not
PAM-aware, but neither is bash (or any other shell) AFAIK.

The feature you're trying to use relies on PAM, so if it's going to
work, you need the PAM libraries to be present in /lib/security.  My
only guess is -- again, assuming this really does work with sftp
without rssh -- that sftp-server must be doing the PAM stuff after
it's invoked, and therefore that you need to add /lib/security to your
jail.  But given I've never seen a PAM config file for sftp-server,
that would surprise me a lot.

--
Derek D. Martin
http://www.pizzashack.org/:
GPG Key ID: 0x81CFE75D

[attachment "attaeb07.dat" deleted by Ryan K. Tye/Corp/Hormel]
------------------------------------------------------------------------------

Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss




Notice:
This communication is an electronic communication within the meaning of the 
Electronic Communications Privacy Act, 18 U.S.C. � 2510.  Its disclosure is 
strictly limited to the recipient(s) intended by the sender of this message.  
This transmission and any attachments may contain proprietary, confidential, 
attorney-client privileged information and/or attorney work product. If you are 
not the intended recipient, any disclosure, copying, distribution, reliance on, 
or use of any of the information contained herein is STRICTLY PROHIBITED.  
Please destroy the original transmission and its attachments without reading or 
saving in any matter and confirm by return email.
------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss