Sending SSH_MSG_DISCONNECT before dropping connections

Damien Miller djm at mindrot.org
Fri Dec 2 09:34:36 EST 2005


On Thu, 1 Dec 2005, olle ollesson wrote:

> Hi again,
>
> Thanks for the clarifcation Markus. Now the natural next question:
>
> Is there any reason to why OpenSSH does not do it that way, that is, sens
> SSH_MSG_DISCONNECT with an SSH_DISCONNECT_TOO_MANY_CONNECTIONS reason code
> before closing the socket when the max number of allowed sessions has been
> reached? What are the pros and cons in doing so?

MaxStartups is a DoS mitigation setting - i.e. it is supposed to limit 
the effect of someone flooding a server with connections, while still
allowing a real admin a chance of logging in.

As such, there is no point in being polite to people you are going to 
drop.

-d




More information about the openssh-unix-dev mailing list