[PATCH] Add config option disabling drop_connection() behavior
Garry Zacheiss
zacheiss at MIT.EDU
Wed May 29 14:29:37 EST 2002
The patch below (against openssh 3.2.3p1) adds a
CheckMaxStartups option, defaulting to yes, to determine whether sshd
calls drop_connection().
The motivation behind this is twofold. In our environment, our
timesharing machines get enough incoming connections that will trigger
spuriously with the default value (10 forked unauthenticated
connections) as well as some significantly higher values, and I'd rather
disable this feature than just configure it to some ridiculously high
value.
A secondary motivation is that this code is sometimes triggered
when the machine's AFS client has gotten into a broken state (forked
sshd tries to touch AFS for user homedir, loses), and I've already had
at least one coworker get dragged down the wrong debugging path and "try
to debug why sshd is accepting new connections and immediately dropping
them" when the real problem the machine is experiencing is different.
It didn't seem like being able to selectively disable this
feature would be a bad thing, so please consider this patch for
inclusion in a future version of OpenSSH.
I'm not currently subscribed to this list, so please cc me on
any replies. Thanks in advance for your consideration.
Garry
--- servconf.h 2002/05/29 03:50:01 1.1
+++ servconf.h 2002/05/29 03:50:53
@@ -112,6 +112,7 @@
char *subsystem_name[MAX_SUBSYSTEMS];
char *subsystem_command[MAX_SUBSYSTEMS];
+ int check_max_startups;
int max_startups_begin;
int max_startups_rate;
int max_startups;
--- servconf.c 2002/05/29 03:49:54 1.1
+++ servconf.c 2002/05/29 03:54:09
@@ -112,6 +112,7 @@
options->protocol = SSH_PROTO_UNKNOWN;
options->gateway_ports = -1;
options->num_subsystems = 0;
+ options->check_max_startups = -1;
options->max_startups_begin = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
@@ -228,6 +229,8 @@
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
options->gateway_ports = 0;
+ if (options->check_max_startups == -1)
+ options->check_max_startups = 1;
if (options->max_startups == -1)
options->max_startups = 10;
if (options->max_startups_rate == -1)
@@ -281,7 +284,8 @@
sUseLogin, sAllowTcpForwarding,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
- sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+ sCheckMaxStartups, sMaxStartups,
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -353,6 +357,7 @@
{ "protocol", sProtocol },
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
+ { "checkmaxstartups", sCheckMaxStartups },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
{ "verifyreversemapping", sVerifyReverseMapping },
@@ -835,6 +840,10 @@
options->num_subsystems++;
break;
+ case sCheckMaxStartups:
+ intptr = &options->check_max_startups;
+ goto_parse_flag;
+
case sMaxStartups:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
--- sshd.8 2002/05/29 03:50:10 1.1
+++ sshd.8 2002/05/29 03:54:38
@@ -656,6 +656,11 @@
Multiple algorithms must be comma-separated.
The default is
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm CheckMaxStartups
+Specifies whether the server should check the number of concurrent
+unauthenticated connections to the daemon, and drop new incoming
+connections if this number exceeds some threshold. See the
+"MaxStartups" configuration option for more information.
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
.Nm
--- sshd.c 2002/05/29 03:50:13 1.1
+++ sshd.c 2002/05/29 03:55:59
@@ -1243,7 +1243,8 @@
close(newsock);
continue;
}
- if (drop_connection(startups) == 1) {
+ if (options.check_max_startups &&
+ drop_connection(startups) == 1) {
debug("drop connection #%d", startups);
close(newsock);
continue;
More information about the openssh-unix-dev
mailing list