Re: rssh with /etc/security/limits.conf
Brought to you by:
xystrus
From: Derek M. <co...@pi...> - 2009-04-23 23:13:11
|
On Thu, Apr 23, 2009 at 11:35:06AM -0500, RK...@ho... wrote: > I've decided to use /etc/security/limits.conf to limit the number of > ssh/sftp connections for a user. Unfortunately, I'm finding those > rules only work for users that don't use rssh. I must be missing > something, but I can't figure it out. [...] > I tested this works with non-rssh users over ssh or sftp. However, it > doesn't work with rssh users. You're quite sure it works with *sftp* users who don't use rssh? My first guess would have been that these sessions are not counted as logins, as in many ways they often are not (no pseudo tty allocated, no entry in wtmp, etc.). I would fully expect this not to work at all... Assuming they do really work, I can't immediately see any reason why it wouldn't work for rssh. Basically rssh takes the place of the user's shell, and by that point in the login process, everything to do with logging in has already happened. It's true that rssh is not PAM-aware, but neither is bash (or any other shell) AFAIK. The feature you're trying to use relies on PAM, so if it's going to work, you need the PAM libraries to be present in /lib/security. My only guess is -- again, assuming this really does work with sftp without rssh -- that sftp-server must be doing the PAM stuff after it's invoked, and therefore that you need to add /lib/security to your jail. But given I've never seen a PAM config file for sftp-server, that would surprise me a lot. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |