How to harden sshd_config to allow only 1 user to be logged in at any given time?

[ikevin8me]

How do I harden my sshd_config to allow only 1 user to be remotely logged in at any given time? (A non-admin/wheel and not-root user will login remotely, then upgrade (ie. "su -l admin) to admin/wheel, and then to root should be counted as the same user being logged in at any given time.)

I need more clarifications about MaxSessions and MaxStartups. Is MaxSessions a limitation to how many users can login remotely? What about MaxStartups - how does it affect how many people can login simultaneously? (I'm trying to understand these terms: "session", "multiplexing", "concurrent connections" in relation to my purpose as described above.)

 

[richardtoohey2]

I don't know but from reading the man pages:

MaxStartups
Specifies the maximum number of concurrent
unauthenticated connections to the SSH daemon.

So that's how many unauthenticated connections are allowed at once - so connections where the client and server are having a handshake and discussing protocols and going through authentication. So this isn't the number of authenticated users connected, but clients trying to connect and authenticate.

MaxSessions
Specifies the maximum number of open shell, login or
subsystem (e.g. sftp) sessions permitted per network
connection. Multiple sessions may be established by
clients that support connection multiplexing.

So one network connection can have multiple sessions within it.

I'm not sure what you are after is possible, especially the bit where after the user is connected and uses su, they are counted differently.

 

[im]

Try to use "AllowUsers user" to disable all other users to use sshd.

It is possible to use "Match" and "AllowUsers" to permit some user to use specified IPs.
Match Address 9.2.1.1/32,1.1.1.1/32
PermitRootLogin yes
AllowUsers root admin guest