Join Log in
Score:0
ami avatar Ubuntu

How to limit count of ssh port forwarding per user

ar flag
ami

i want to limit a nologin system user to make one, or two ssh tunnel.

this user use ssh system-user@server-ip -D 1080 -N command

need something like maxlogins in limits.conf

is there any way to do that ?

892
1 + 0
ssh
Score:0
user10489 avatar Ubuntu
in flag
user10489

You could set in sshd_config the setting MaxSessions (default 10) but then they could just open another ssh connection to get more, so you'd also have to couple that with setting maxlogins in limits.conf.

However, -D is usually used for SOCKS proxy, which is tied to a web browser, which usually opens multiple streams at once. Even the default 10 can be a low limit for that, so if you set it to 1 without also changing the web browser's simultaneous connection limit, you are likely to break the web browser using the ssh connection.

+ 6
ami avatar
ar flag
ami
this is a nologin system user so `maxlogins` in limits.conf is not useful and `MaxSessions` has no effect on port forwarding
0
Reply
user10489 avatar
in flag
user10489
MaxSessions controls port multiplexing, which explicitly includes port forwarding. I've had to adjust this number up specifically to handle `-D` connections. When you connect with ssh, it is a login session, although you aren't getting a shell in this case. I haven't tested if systemd counts it under maxlogins however.
0
Reply
user10489 avatar
in flag
user10489
I just checked. If you use `loginctl list-sessions` on your remote machine you will find the ssh forwarding sessions are there (without a shell), and you verify that with `loginctl session-status ` followed by each number from list-sessions. Each of those counts under maxlogins.
0
Reply
ami avatar
ar flag
ami
`limits.conf` : `sys_test - maxlogins 2`, `sshd_config` : `MaxSessions 1`, `loginctl list-sessions` : SESSION UID USER SEAT TTY 676 998 sys_test 679 0 root 700 998 sys_test 701 998 sys_test 702 998 sys_test 9 sessions listed.
0
Reply
ami avatar
ar flag
ami
i set maxlogins 2 and MaxSessions 1, now i test 4 `ssh sys_test@185.216.26.95 -D [1081-1084] -N` and all of them working
0
Reply
user10489 avatar
in flag
user10489
might need to reset services and close existing sessions before the new numbers take effect.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.