3

Background:

ssh (client) allows the re-use of active connections via multiplexing ControlPaths ...

Host *
ControlMaster auto
ControlPath /home/username/.ssh/%r@%h:%p

the TL;DR is the first connection will authenticate like any other, subsequent connections will use the controlpath and not perform any additional authentication.

Now my question; is it possible to limit the use of such connections server side ? in the sshd_config.

MaxSessions does not work despite setting to 1 I can connect to a host as many additional times as wanted via the same original connection.

Setting to 0 of course just disabled remote logins entirely.

Oneiroi
  • 2,008
  • 1
  • 15
  • 28
  • Why would you possibly want to do this? – womble Nov 27 '15 at 09:37
  • @womble hosts may wish to prevent this feature from being used for auditing / enforce 2FA for each connection purposes. – Oneiroi Nov 27 '15 at 09:41
  • 1
    @Oneiroi, this answers all your questions: http://unix.stackexchange.com/questions/26170/sshd-config-maxsessions-parameter. Check all the answers there. – Diamond Nov 27 '15 at 11:24
  • Because https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/october/bypassing-authentication-on-ssh-bastion-hosts/ – Ed Randall Nov 22 '19 at 14:27

1 Answers1

1

Now my question; is it possible to limit the use of such connections server side ? in the sshd_config.

Yes, the MaxSessions does exactly what you are describing, if you are not using buggy server. Disables multiplexing sessions.

MaxSessions does not work despite setting to 1 I can connect to a host as many additional times as wanted via the same original connection

If you would open more sessions, you need to open more connections. But this is not what you are asking in the title of question. but anyway, as described in Unix, you can use /etc/security/limits.conf:

 foo-user           -       maxlogins       1

As I spend more time with your question, I can think that you have back in your head option ControlPersist, which allows to open and close the one session during the one connection (but you probably forgot to mention it). If this is your concern, there is no way to forbid it with pure ssh. You would need probably some ForceCommand script to handle it for you.

Community
  • 1
Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • oddly `MaxSessions` does not prevent the creation nor use of multiplexing when set to 1 ```[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) [root@localhost ~]# rpm -q openssh openssh-6.6.1p1-12.el7_1.x86_64``` – Oneiroi Dec 02 '15 at 15:08
  • Not sure if the CentOS already updated, but in RHEL we have update that was dealing with `MaxSessions` option. Please, lets try with newer version if the problems persists. – Jakuje Dec 02 '15 at 15:10
  • ok I'll keep an eye out for relevant updates; you wouldn't happen to know the RH BZ id at all ? – Oneiroi Dec 03 '15 at 10:41
  • `openssh-6.6.1p1-22.el7.x86_64` installed and whilst this is the latest RHEL package this suffer the same issues it would appear – Oneiroi Dec 03 '15 at 11:07
  • Just tested with `MaxSession 1` and the second connection fails with `open failed: administratively prohibited: open failed` and falls back to new authentication, which is expected behaviour. – Jakuje Dec 03 '15 at 11:14
  • Could you paste the sshd_config somewhere such as fpaste if possible please? tried this on AMI `openssh-6.6.1p1-12.57.amzn1.x86_64` and still have the same problems ... it's baffling me. – Oneiroi Dec 03 '15 at 11:41
  • it was only the `MaxSessions` I changed. You can verify it on the server that it is really used `sshd -T | grep maxsessions`. – Jakuje Dec 03 '15 at 11:44
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/32452/discussion-between-oneiroi-and-jakuje). – Oneiroi Dec 03 '15 at 11:50