How ssh protocol works relating to MaxSessions and MaxStartups

networking ssh openssh
9,512

I believe that neither of the two directives do what you think.

MaxSessions:

Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions permitted per network connection. Multiple sessions may be established by clients that support connection multiplexing. Setting MaxSessions to 1 will effectively disable session multiplexing, whereas setting it to 0 will prevent all shell, login and subsystem sessions while still permitting forwarding. The default is 10.

In this context "session" is not a connection, it's a virtual channel within one connection. In most cases you will never face this limit, as most clients cannot make use of multiple channels. Or if they are, it is in less used/known scenarios.

MaxStartups:

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10:30:100. Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60"). sshd will refuse connection attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60).

So the "startup" limit is evaluated even before any authentication is done.

Share:
9,512
Minsoo Park
Author by

Minsoo Park

Updated on September 18, 2022

Comments

  • Minsoo Park
    Minsoo Park over 1 year

    I have a question related to sshd's settings of MaxSessions and MaxStartups.

    Suppose I have a host server that has sshd settings as below.

    MaxSessions 3, 
MaxStartups 10,
LoginGraceTime 1m

    And, currently 3 ssh sessions are established onto the host, and the sessions will not end for a while.

    At that time, a new (4th) ssh connection is going to be made while there are already 3 ssh sessions are on going.

    The 4th ssh connections uses key-authentication, and there is NOT any problem with the key-authentication.

    After key-authentication of the 4th ssh connection succeeds, what will happen to the 4th connection? Is there any correct scenario as below? If so, what is it? If the answer is #3, can you tell me the right answer for me?

    1. The 4th ssh connection will be disconnected from the host since there already exist ssh sessions at its maximum. Total number of ssh sessions established cannot be exceeded.

    2. The 4th ssh connection will be on the wait-list since even though there are on going ssh session at maximum, MaxStartup does not exceed its maximum. The 4th ssh connection will wait until there is any disconnection of on going ssh sessions made from the host, and the 4th ssh connection cannot wait more than the time that LoginGraceTime set, 1 minute.

    3. Neither of the above.

    Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH connection timed out externally, but works internally
SSH to local ip in external network
No more authentication methods to try. Permission denied (publickey)
How can I SSH into home computer from internet
Use ProxyCommand for all SSH Connections
how to start ssh server on iOS?
OpenSSH hangs after login without showing login prompt
Multiple SSH connections to the same system - is it possible?
How can I restrict SSH to only listen for requests from my local network?
SSH: Set timeout for broken pipe