As you probably know, we can SSH into a remote Linux system by the same user multiple times. There is no limit! You could simply open multiple Terminal windows (or multiple tabs in the Terminal) and initiate multiple SSH sessions from each tab by the same user account. What if you want to change this behavior? For example, you might want to allow only one active SSH session for an user. That's what we are going to see now. This brief tutorial explains how to limit the number of SSH logins per user or group or system on Linux.
In most Linux distributions, there is a file called limits.conf where you can define the maximum number of concurrent SSH sessions for an user or group of users. If the particular user tries to SSH into the system more than the allowed SSH logins, he/she will be denied access.
Limit The Number Of SSH Logins Per User Or Group On Linux
The limits.conf file is usually located under /etc/security/ directory on RPM and DEB-based systems.
Go to your remote system and edit /etc/security/limits.conf file with sudo or root user:
$ sudo nano /etc/security/limits.conf
To limit the number of concurrent SSH sessions for a specific user, for example ostechnix, Add the following line at the end:
ostechnix hard maxlogins 1
Here,
- ostechnix - Name of the user in my CentOS 8 server.
- maxlogins 1 - Maximum number of logins for this user. In my case it is 1. You can increase this value to allow maximum no. of active SSH sessions per user.
- hard - Enforcing hard limits.
If you want to limit the number of SSH connections for a group of users, add the following line:
@mygroup hard maxlogins 1
Replace @mygroup with your group name. In this scenario, all users in the mygroup can't login via SSH more than once.
If you want to limit SSH sessions of all users (global) in the system, add this line instead:
* hard maxlogins 1
Here, the asterisk means global (i.e. all users in the system). Once you defined the maximum number of SSH sessions per user/group or the whole system, save and close the file.
Now try to SSH to the system with the same user more than one time. You will see an error message like below.
Too many logins for 'ostechnix'. Last login: Tue Feb 18 17:12:09 2020 from 192.168.225.37 Connection to 192.168.225.52 closed.
As you see in the above output;
- First, I SSH into the remote CentOS 8 server as
rootuser via SSH and connection was successfully established. - Then, I opened a new tab and SSH into the same server as regular user "ostechnix" and the connection was also successful.
- Finally, I tried to SSH into the same server with the same regular user (i.e. ostechnix) and this time the connection was denied. The user "ostechnix" can not SSH into the system more than once. Because the maximum number of allowed SSH session for this user is only one time. Hence, SSH connection is denied for this user.
In this example, we restricted the total number of active SSH sessions for a user or group or all users in the system. It is also possible to limit the SSH sessions per system-basis. For example - we can allow only one SSH login from a system, not per the user or group.
Limit Total Number Of SSH Session Per System
To limit the total number of active SSH connections per system, add the following line in /etc/security/limits.conf file:
* hard maxsyslogins 1Here, maxsyslogins refers the maximum number of logins on the system, not per-user or per-group.
Try to SSH into the system and you can't access the system more than the maximum number of allowed logins on the system.
See? The user "ostechnix" can't even SSH for the first time. Because, the total number of allowed SSH login is only one for the system. This time the SSH connection made by the root user has also been taken into account. So the maximum number of SSH logins has crossed the defined limit and the user "ostechnix" was denied access. Hope you understand.
Please note that this restriction applies for the normal users only. The root user can still able to login via SSH any number of times.
5 comments
Of course, this affects all logins. And while in our “network” dependent world, we might view ssh logins at “the only way”, if you need to just restrict ssh and not all other sources of login, there are more precise ways.
(let’s just say, I wouldn’t put this on an exam in this form)
Yes, you’re right. Since I mostly access servers via SSH, I found this method very easy and effective.
And does that prevent opening multiple sessions with multiplexing?
https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing/
Hi
limits.conf doesn’t seem to work for limiting the number of users. It disconnects only on the number of 0 users.
It works for me as expected. I checked it in the CentOS 8 minimal server.