Re: Max clients of OpenSSH

2007-10-16 Thread Jeremy C. Reed 
On Tue, 16 Oct 2007, Bibby wrote:

 Where/How can i set the max client number of OpenSSH?
 sshd_config(5) and sshd(8) do not contain any info about this.
 
 I use OpenSSH 4.3p2(RHEL 5 Client).
 
 Thanks very much.

Have a look at MaxStartups which is for concurrent unauthenticated 
connections.



  Jeremy C. Reed

Re: Max clients of OpenSSH

2007-10-16 Thread Cristiano Deana 
2007/10/16, Bibby [EMAIL PROTECTED]:

 Where/How can i set the max client number of OpenSSH?

I don't know, but you can do it using pf.

-- 
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/

Re: Max clients of OpenSSH

2007-10-16 Thread Jeremy C. Reed 
I am now testing the following (which includes a little documentation for 
a new MaxClients):

Index: servconf.c
===
RCS file: /cvs/openssh/servconf.c,v
retrieving revision 1.163
diff -u -r1.163 servconf.c
--- servconf.c  20 May 2007 05:03:16 -  1.163
+++ servconf.c  16 Oct 2007 16:50:46 -
@@ -108,6 +108,7 @@
options-protocol = SSH_PROTO_UNKNOWN;
options-gateway_ports = -1;
options-num_subsystems = 0;
+   options-max_clients = -1;
options-max_startups_begin = -1;
options-max_startups_rate = -1;
options-max_startups = -1;
@@ -224,6 +225,8 @@
options-allow_tcp_forwarding = 1;
if (options-gateway_ports == -1)
options-gateway_ports = 0;
+   if (options-max_clients == -1)
+   options-max_clients = 1000;
if (options-max_startups == -1)
options-max_startups = 10;
if (options-max_startups_rate == -1)
@@ -286,7 +289,7 @@
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
-   sMaxStartups, sMaxAuthTries,
+   sMaxClients, sMaxStartups, sMaxAuthTries,
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -387,6 +390,7 @@
{ protocol, sProtocol, SSHCFG_GLOBAL },
{ gatewayports, sGatewayPorts, SSHCFG_ALL },
{ subsystem, sSubsystem, SSHCFG_GLOBAL },
+   { maxclients, sMaxClients, SSHCFG_GLOBAL },
{ maxstartups, sMaxStartups, SSHCFG_GLOBAL },
{ maxauthtries, sMaxAuthTries, SSHCFG_GLOBAL },
{ banner, sBanner, SSHCFG_ALL },
@@ -1115,6 +1119,10 @@
options-subsystem_args[options-num_subsystems] = p;
options-num_subsystems++;
break;
+
+   case sMaxClients:
+   intptr = options-max_clients;
+   goto parse_int;
 
case sMaxStartups:
arg = strdelim(cp);
Index: servconf.h
===
RCS file: /cvs/openssh/servconf.h,v
retrieving revision 1.72
diff -u -r1.72 servconf.h
--- servconf.h  19 Feb 2007 11:25:38 -  1.72
+++ servconf.h  16 Oct 2007 16:50:46 -
@@ -115,6 +115,7 @@
u_int num_accept_env;
char   *accept_env[MAX_ACCEPT_ENV];
 
+   int max_clients;
int max_startups_begin;
int max_startups_rate;
int max_startups;
Index: sshd.c
===
RCS file: /cvs/openssh/sshd.c,v
retrieving revision 1.364
diff -u -r1.364 sshd.c
--- sshd.c  5 Jun 2007 08:22:32 -   1.364
+++ sshd.c  16 Oct 2007 16:50:47 -
@@ -181,6 +181,11 @@
 int num_listen_socks = 0;
 
 /*
+ * Keep track of number of clients for MaxClients.
+ */
+int num_clients = 0;
+
+/*
  * the client's version string, passed by sshd2 in compat mode. if != NULL,
  * sshd will skip the version-number exchange
  */
@@ -338,6 +343,8 @@
(pid  0  errno == EINTR))
;
 
+   num_clients--;
+
signal(SIGCHLD, main_sigchld_handler);
errno = save_errno;
 }
@@ -1092,6 +1099,11 @@
close(*newsock);
continue;
}
+   if (num_clients = options.max_clients) {
+   debug(max clients %d, num_clients);
+   close(*newsock);
+   continue;
+   }
if (drop_connection(startups) == 1) {
debug(drop connection #%d, startups);
close(*newsock);
@@ -1185,6 +1197,8 @@
debug(Forked child %ld., (long)pid);
 
close(startup_p[1]);
+
+   num_clients++;
 
if (rexec_flag) {
send_rexec_state(config_s[0], cfg);
Index: sshd_config
===
RCS file: /cvs/openssh/sshd_config,v
retrieving revision 1.78
diff -u -r1.78 sshd_config
--- sshd_config 17 Sep 2007 01:57:38 -  1.78
+++ sshd_config 16 Oct 2007 16:50:47 -
@@ -100,6 +100,7 @@
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
+#MaxClients 1000
 #MaxStartups 10
 #PermitTunnel no
 
Index: sshd_config.5
===
RCS file: /cvs/openssh/sshd_config.5,v
retrieving revision 1.84
diff -u -r1.84 sshd_config.5
--- sshd_config.5   17 Sep 2007 01:57:38 -  1.84
+++ sshd_config.5   16 Oct 2007 16:50:47 -
@@

Re: Max clients of OpenSSH

2007-10-16 Thread Jeremy C. Reed 
On Tue, 16 Oct 2007, Jeremy C. Reed wrote:

 Index: sshd_config.5
 ===
 RCS file: /cvs/openssh/sshd_config.5,v
 retrieving revision 1.84
 diff -u -r1.84 sshd_config.5
 --- sshd_config.5 17 Sep 2007 01:57:38 -  1.84
 +++ sshd_config.5 16 Oct 2007 16:50:47 -
 @@ -536,6 +536,11 @@
  Once the number of failures reaches half this value,
  additional failures are logged.
  The default is 6.
 +.It Cm MaxClients
 +Specifies the maximum number of concurrent connections to the
 +SSH daemon.
 +The default is 1000.
 +.Pp

I guess I should document some more here:

This includes current unauthenticated connections, so consider keeping  
this greater than
.Cm MaxStartups
so legitimate connections will not be locked out by unauthenticated 
connections.




  .It Cm MaxStartups
  Specifies the maximum number of concurrent unauthenticated connections to the
  SSH daemon.

  Jeremy C. Reed

Re: Max clients of OpenSSH

2007-10-16 Thread Bibby 
Hi, Reed.

Can you send me a separated patch and tell me the usage? I want to test it.

Thanks very much.

--
Best regards.

Bibby

2007/10/17, Jeremy C. Reed [EMAIL PROTECTED]:

 I am now testing the following (which includes a little documentation for
 a new MaxClients):

Max clients of OpenSSH

2007-10-15 Thread Bibby 
Hi, folks,

Where/How can i set the max client number of OpenSSH?
sshd_config(5) and sshd(8) do not contain any info about this.

I use OpenSSH 4.3p2(RHEL 5 Client).

Thanks very much.

--
Best Regards.