Bug#1080350: marked as done (openssh-server: refuses further connections after having handled PerSourceMaxStartups connections)

[Debian Bug Tracking System]

Your message dated Fri, 27 Feb 2026 21:17:15 +0000
with message-id <e1vw5d1-0000000gp2i-3...@fasolo.debian.org>
and subject line Bug#1080350: fixed in openssh 1:10.0p1-7+deb13u1
has caused the Debian Bug report #1080350,
regarding openssh-server: refuses further connections after having handled 
PerSourceMaxStartups connections
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1080350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080350
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssh-server
Version: 1:9.8p1-4
Severity: normal

The PerSourceMaxStartups should limit the number of concurrent
unauthenticated connections coming from a single source. But in recent
versions, all further connections from the given address are refused
after the server has handled the configured PerSourceMaxStartups
connections from it. It worked the expected way in some past versions.

To reproduce:

# sponge /etc/ssh/sshd_config.d/bug-startups.conf <<< 'PerSourceMaxStartups 2'
# service ssh restart
$ ssh localhost true
$ ssh localhost true
$ ssh localhost true

Observe the third connection failing and 'beginning MaxStartups
throttling' being logged without any other concurrent connections from
the localhost at all.

-k

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.7.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-server depends on:
ii  adduser                    3.137
ii  debconf [debconf-2.0]      1.5.87
ii  init-system-helpers        1.66
ii  libaudit1                  1:3.1.2-4+b1
ii  libc6                      2.40-2
ii  libcom-err2                1.47.1-1
ii  libcrypt1                  1:4.4.36-5
ii  libgssapi-krb5-2           1.21.3-3
ii  libkrb5-3                  1.21.3-3
ii  libpam-modules             1.5.3-7
ii  libpam-runtime             1.5.3-7
ii  libpam0g                   1.5.3-7
ii  libselinux1                3.7-1+b1
ii  libssl3t64                 3.3.1-7
ii  libwrap0                   7.6.q-33
ii  lsb-base                   11.6
ii  openssh-client             1:9.8p1-4
ii  openssh-sftp-server        1:9.8p1-4
ii  procps                     2:4.0.4-5
ii  runit-helper               2.16.3
ii  sysvinit-utils [lsb-base]  3.10-1
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-server recommends:
pn  default-logind | logind | libpam-systemd  <none>
ii  ncurses-term                              6.5-2
ii  xauth                                     1:1.1.2-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.8.4
pn  monkeysphere  <none>
ii  ssh-askpass   1:1.2.4.1-16+b1
pn  ufw           <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: false

--- End Message ---

--- Begin Message ---

Source: openssh
Source-Version: 1:10.0p1-7+deb13u1
Done: Colin Watson <cjwat...@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1080...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Feb 2026 13:15:29 +0000
Source: openssh
Architecture: source
Version: 1:10.0p1-7+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1080350 1117529 1117530
Changes:
 openssh (1:10.0p1-7+deb13u1) trixie; urgency=medium
 .
   * CVE-2025-61984: ssh(1): disallow control characters in usernames passed
     via the commandline or expanded using %-sequences from the configuration
     file (closes: #1117529).
   * CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
     #1117530).
   * Fix mistracking of MaxStartups process exits in some situations (closes:
     #1080350).
Checksums-Sha1:
 b8faca069cb0afc60daf0ec202971055fd5572a3 3694 openssh_10.0p1-7+deb13u1.dsc
 41f246a88bab7adcfc3ad5aa4d73741e1a7d1442 202608 
openssh_10.0p1-7+deb13u1.debian.tar.xz
 d257a32dd9a84d1646c53f00e6e985b941e1f17c 21519816 
openssh_10.0p1-7+deb13u1.git.tar.xz
 935fefdc7590f34d8c867b158683d04fb93a85d5 17332 
openssh_10.0p1-7+deb13u1_source.buildinfo
Checksums-Sha256:
 3701286974f2ebf6b6afec546e269c6568e63b21f8d6d053be3eef3a7c664753 3694 
openssh_10.0p1-7+deb13u1.dsc
 c9240cd765d32de2f117a0a0343e05f85cd89d2f30c681501306aac5d9c48fbe 202608 
openssh_10.0p1-7+deb13u1.debian.tar.xz
 6fd3ec00693dd8605b6e09410ca6f632b9007383ba2657df2a3ade09c7e215b7 21519816 
openssh_10.0p1-7+deb13u1.git.tar.xz
 07e7ce985b77019ed5d7acc6be8c5fe08d96cac971da945584d9f75447c1c1ed 17332 
openssh_10.0p1-7+deb13u1_source.buildinfo
Files:
 13313140bb35c4f0bcec7865f2b3cd52 3694 net standard openssh_10.0p1-7+deb13u1.dsc
 7b2afc5a6281c4e211948205d2d0bddd 202608 net standard 
openssh_10.0p1-7+deb13u1.debian.tar.xz
 adda2a898420b48b5cd102bbec9a5351 21519816 net standard 
openssh_10.0p1-7+deb13u1.git.tar.xz
 99a4ca6bf6471f756c9ce37e09c1ba1a 17332 net standard 
openssh_10.0p1-7+deb13u1_source.buildinfo
Git-Tag-Info: tag=56571582df75bc96973e8b74ce4e24d6e0f503a6 
fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <cjwat...@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmB9ZoACgkQYG0ITkaD
wHmoOA/+KHDxAQp0+SZrvA0mK81EWxg1RtWd+jMeJ/hMpYI59mIciajxyA9czSbG
KgsAfgnWgCc0UqR8GePongWtkSsmylVMKii4YY2fDNBnrseMgOdI5M4E1TmEINfy
9NCh1m6Uv8KDIw9qwcyYt8jY+NJ3Fv1IOpHwnIU5tG+LBqHNm9zBveX2bFMmpRDN
FO8qYSZhlhoJ5gvkLRkjH8JLexKWqFnJu34P6F2jmYemc2rAe68CBksLfJ9yxjTw
hHlY5WbtuLaDR2iUAOQVxoXDnd+D70NvQZDpza0GwB+dQAYTRl1/1HpDAMbXhaJH
+16Ozd/uYr+Qm7nyS+OUJaglW//ZbRaxEPyNH11Twflm1SUB4vtMDTKUOw9uBpVE
ZZN0NJMGbP+qJaZFcevgZynte7o34qNqQVvEkLPZb/3jIAmnFt16eQ08JGTHFzs9
LMFqjbybFcjNlEzw7O2fD7xrQCWqqL5L7Zvx4j+Xo4wNL/dl+dgmPI2xplp9QAn5
QPONy9flMMyJrcyFvEE7oXEPCwiDNlKcxvuxJziyewjP6Qgm+yRQFYR0nm2E9u6V
RqkYyonDjIj02E8qQ9wlDwMoj6Incqbb4ni0P7rXVKvqF2NZ80YoiduE4wSGNLMI
MQ6i2QrXg3V6a6rZxwCSGxVu8Sn3yCrYnlHqvejJfIaSEll9k3Q=
=za18
-----END PGP SIGNATURE-----

pgpFTuBuoAMVd.pgp
Description: PGP signature

--- End Message ---