Sending SSH_MSG_DISCONNECT before dropping connections
olle ollesson
bpsr77 at hotmail.com
Fri Dec 2 04:03:08 EST 2005
Hi.
>From my understanding the MaxStartups option can be set to limit the number
of concurrent sessions the OpenSSH server opens. My concern is how OpenSSH
handles the case where this number is reached.
>From the code it looks like it simply closes the socket:
sshd.c:1440
if (drop_connection(startups) == 1) {
debug("drop connection #%d", startups);
close(newsock);
continue;
}
Why is there no disconnect message sent that explains to the client why the
socket was closed?
>From draft-ietf-secsh-transport-24.txt, chapter 11:
----------------------------------------------------------
11. Additional Messages
Either party may send any of the following messages at any time.
11.1 Disconnection Message
byte SSH_MSG_DISCONNECT
uint32 reason code
string description [RFC3629]
string language tag [RFC3066]
This message causes immediate termination of the connection. All
implementations MUST be able to process this message; they SHOULD be
able to send this message.
The sender MUST NOT send or receive any data after this message, and
the recipient MUST NOT accept any data after receiving this message.
The Disconnection Message 'description' string gives a more specific
explanation in a human-readable form. The Disconnection Message
'reason code' gives the reason in a more machine-readable format
(suitable for localization), and can have the values as displayed in
the table below. Note that the decimal representation is displayed
in this table for readability but that the values are actually uint32
values.
Symbolic name reason code
------------- -----------
SSH_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1
SSH_DISCONNECT_PROTOCOL_ERROR 2
SSH_DISCONNECT_KEY_EXCHANGE_FAILED 3
SSH_DISCONNECT_RESERVED 4
SSH_DISCONNECT_MAC_ERROR 5
SSH_DISCONNECT_COMPRESSION_ERROR 6
SSH_DISCONNECT_SERVICE_NOT_AVAILABLE 7
SSH_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8
SSH_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9
SSH_DISCONNECT_CONNECTION_LOST 10
SSH_DISCONNECT_BY_APPLICATION 11
SSH_DISCONNECT_TOO_MANY_CONNECTIONS 12
SSH_DISCONNECT_AUTH_CANCELLED_BY_USER 13
SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14
SSH_DISCONNECT_ILLEGAL_USER_NAME 15
----------------------------------------------------------
If a SSH_DISCONNECT_TOO_MANY_CONNECTIONS disconnect message was to be sent
before the connection is closed how far would the SSH connection setup need
to go before this could be done?
The draft says it can be sent at any time. Can we send it before the
"Protocol Version Exchange"? Probably not. Before the Key Exchange? I'm not
sure. Question is, how far would the ssh negotiation/connection setup need
to go in order for the ssh server to refuse the connection in a more
controlled way, that is sending the SSH_DISCONNECT_TOO_MANY_CONNECTIONS
disconnect message, and still be compliant with the draft standard?
Best Regards,
Olle
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
More information about the openssh-unix-dev
mailing list