RE: [BSD6] SSH Restriction


For exactly description.

We have one user (robot) connect on server with ssh command and telnet argment to access on some router.
The connection is not closed and cleaned properly. Also the CPU increases dangerously.

Regards


Karim Bourenane
112 Av. Charles de Gaules
92520 Neuilly S/Seine
Phone: +33156 76 35 52
Fax: +33156 76 35 04
http://www.equant.com



-----Original Message-----
From: Kostik Belousov [mailto:kostikbel@xxxxxxxxx]
Sent: vendredi 1 août 2008 14:27
To: Ed Schouten
Cc: BOURENANE Karim SCE/IBNF; FreeBSD Current
Subject: Re: [BSD6] SSH Restriction

On Fri, Aug 01, 2008 at 02:10:04PM +0200, Ed Schouten wrote:
Hello Karim,

* karim.bourenane@xxxxxxxxxxxxxxxxxx <karim.bourenane@xxxxxxxxxxxxxxxxxx> wrote:
I have one question. How i can restrict ( limit ) 1 user to have for
exemple 5 ssh connection in simutanous time, no more ?

It's quite funny you ask this question, because I've been working on
this last week.

The new TTY code, which I'll commit next week, adds a new rlimit to
the kernel called RLIMIT_NPTS. This rlimit allows you to limit the
number of pseudo-terminals allocated by a single user. This means you
can limit the number of login sessions by tuning the "pseudoterminals"
field in /etc/login.conf.

This seems to work with tools like screen(1), xterm(1), etc.
Unfortunately I didn't get it working with OpenSSH, because OpenSSH
allocates terminals while been root. I've already contacted the
OpenSSH folks about this, but I haven't got any response (yet).

Limit on the allocation of the ptys is useful. Trying to use it to top the number of the "sessions" may be not. There is a -T option for the ssh(1).

Without clear description of why the restriction is imposed, the question probably cannot be answered.

*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************
_______________________________________________
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SSH scans vs connection ratelimiting
    ... we're all seeing repeated bruteforce attempts on SSH. ... My theory was/is that this particular scanner simply multiplexes multiple authentication attempts over a single connection. ... I 'used the source luke' of OpenSSH to find support for this theory, but found the source a bit too wealthy for my brain to find such support. ...
    (FreeBSD-Security)
  • ssh hangs after authentication - possible solution
    ... I would like to share my experience with openssh. ... I had problem connecting to any server from my home ... using ssh. ... (I have ADSL connection, provider Telefonica O2, Czech Republic) ...
    (SSH)
  • [opensuse] ssh weirdness - ssh connects then hangs after transferring a few bytes
    ... Has anyone else out there encountered problems with OpenSSH in opensuse 10.2? ... I'm having a weird problem connecting to certain servers: ssh connects ... connection problems do not occur consistently with OpenSSH 3.9p1 as ...
    (SuSE)
  • ssh root denied
    ... I have a Freebsd server 4.9 working in a closet without screen. ... So I would like to use it through ssh from another station with OpenSSH to configure it when I need it. ... Connection to 192.168.1.1 closed by remote host. ...
    (freebsd-questions)
  • Re: What is The SSH?
    ... Building and Using SSH Tunnels ... What is an SSH tunnel? ... how to use it to make a connection to a server. ... You will need a working SSH client and server installation to build and test ...
    (microsoft.public.windows.server.networking)