Setting up maxlogins limit actually works here. Just make sure you use '-' limit type, not 'hard'.
user1 - maxlogins 1
If you want to kick users who made double login using scponly, here's quick and dirty script, which does that. Put it into crontab, so it executes every minute.
#!/bin/sh
for user in `grep scponly /etc/passwd | gawk -F: '{print $1}'`; do
echo "Checking user: $user"
instances=`ps -u $user| grep scponly | wc -l`
echo "scponly instances $instances"
if [ $instances -gt 1 ] ; then
echo "Too many connections detected, slaying scponly for user $user"
if [ -e /tmp/$user ] ; then
attempts=`cat /tmp/$user`
echo "Detected $attempts attempts"
# increment attempts counter
echo $(($attempts+1)) > /tmp/$user
if [ $attempts -gt 3 ] ; then
echo "Blocking $user"
/usr/sbin/usermod -L $user
fi
else
echo "1" > /tmp/$user
fi
killall -u $user scponly
fi
done
Download script: http://dl.dropbox.com/u/17194482/kill-scponly.sh
It's pretty non-standard to use initd
to start anything on a Mac. Instead, launchd
is used, kicking off sshd
in an ad hoc fashion (ie, it doesn't run as a typical server daemon until there's knock on the door). I suspect that your use of Linux-centric Webmin to manage ssh is contributing to the problem, since Webmin doesn't know a whole lot about launchd
.
First, make sure the ssh launchd item is configured to load, just to eliminate the obvious.
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
This is akin to ticking the box on Server Admin.app in the Settings options to enable SSH. Check syslog to see if launchctl
is complaining about something.
It's unclear why you would want Webmin to handle SSH, but Apple's default configuration might be illuminating.
There's a launchd item in /System/Library/LaunchDaemons
called sshd.plist. This XML file indicates that /usr/libexec/sshd-keygen-wrapper
is used as the "program" that actually kicks off /usr/sbin/sshd
using the -i flag. (The sshd-keygen-wrapper program is a shell script to first set up initial rsa and dsa keys in empty user home dirs.) The sshd-keygen-wrapper, however, also kicks off sshd like exec /usr/sbin/sshd $@
and is a trusted/whitelisted program as far as the socket firewall is concerned.
You might also want to grab the default /etc/sshd_config
from backup or another machine to eliminate that as a variable in troubleshooting.
Best Answer
Every previous answer is working (as google suggest too), but they are dirty and inelegant.
So the solution is as simple as to use the port number instead of the service name.
An excerpt from my edited
/System/Library/LaunchDaemons/ssh.plist
:Note:
To be able to edit this file on El Capitan, Sierra and probably future versions as well, you need to disable SIP (System Integrity Protection). See How do I disable System Integrity Protection (SIP).
For Catalina, even after disabling SIP, the volumes are unwritable. Use
sudo mount -uw /
in order to enable writing to/System
. Do the change then restore SIP and reboot.The above edit will also force sshd to listen only over IPV4.
After making any changes to
ssh.plist
, the file must be reloaded as follows:Note that using
launchctl stop ...
andlaunchctl start ...
will NOT reload this file.The man page with more information can be found by typing
man launchd.plist
or using this link.