sshd_config ignores MaxSessions?
Hello, $ grep 'MaxSessions' /etc/ssh/sshd_config MaxSessions 2 But I can log into a box with at least 5 sessions (I stopped trying at that point). Just above the entry for MaxSessions in the sshd_config manpage, I see: Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. The arguments to Match are one or more criteria-pattern pairs. The available criteria are User, Group, Host, and Address. The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5). The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, e.g. ``192.0.2.0/24'' or ``3ffe:::/32''. Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AllowAgentForwarding, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. My question: Is 'Match' used as a further refinement to any of the rules listed in the keywords section (see last paragraph above), or is it required in order to use one of those keywords? If the former is true, then I don't understand why my setting doesn't seem to work. If it's the latter, then I know I've omitted something. Googling for 'MaxSessions' just yielded me a bunch of results that looked like mine, as a single line entry without a Match construct. Thank you! -Scott
Re: sshd_config ignores MaxSessions?
Scott wrote: Hello, $ grep 'MaxSessions' /etc/ssh/sshd_config MaxSessions 2 But I can log into a box with at least 5 sessions (I stopped trying at that point). You probably did launch 5 independant ssh connections, not 5 sessions using the same connection. MaxSessions is the maximum number of sessions a user can use in a single connection, using multiplexing (see ControlMaster, ControlPath). Look again at the definition of MaxSessions, it is talking about network connections, not network address. My question: Is 'Match' used as a further refinement to any of the rules listed in the keywords section (see last paragraph above), or is it required in order to use one of those keywords? If the former is true, then I don't understand why my setting doesn't seem to work. If it's the latter, then I know I've omitted something. No, you don't *need* Match to apply those keywords. I think you want firewall level features (hint : max-src-conn).
Re: sshd_config ignores MaxSessions?
* Scott amorphous.yet@gmail.com [11.11.2011 20:30]: Hello, $ grep 'MaxSessions' /etc/ssh/sshd_config MaxSessions 2 But I can log into a box with at least 5 sessions (I stopped trying at that point). This is not the focus of the MaxSessions directive See http://openssh.org/txt/release-5.1: [...] * Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of 10, disabling connection multiplexing (MaxSessions=1) or disallowing login/shell/subsystem sessions entirely (MaxSessions=0). -- Mattias
Re: sshd_config ignores MaxSessions?
Got it. Thank you both for clearing up the definitions for me; and thanks to Jeremie for pointing me to pf. I'll look at that tonight and see if suits my intention. -Scott On Fri, Nov 11, 2011 at 1:16 PM, Mattias Pehlke matt...@mpehlke.de wrote: * Scott amorphous.yet@gmail.com [11.11.2011 20:30]: Hello, $ grep 'MaxSessions' /etc/ssh/sshd_config MaxSessions 2 But I can log into a box with at least 5 sessions (I stopped trying at that point). This is not the focus of the MaxSessions directive See http://openssh.org/txt/release-5.1: [...] * Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of 10, disabling connection multiplexing (MaxSessions=1) or disallowing login/shell/subsystem sessions entirely (MaxSessions=0). -- Mattias
