Bug#1080350: openssh-server: refuses further connections after having handled PerSourceMaxStartups connections

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1080350: openssh-server: refuses further connections after having handled PerSourceMaxStartups connections
From: Kacper Gutowski <mwgamera@gmail.com>
Date: Mon, 2 Sep 2024 19:05:25 +0200
Message-id: <[🔎] CAMkCj6g0-ZVsiC6ZQO8atfiEec1K=8Vy+WWsApWyH_wPQgZdNQ@mail.gmail.com>
Reply-to: Kacper Gutowski <mwgamera@gmail.com>, 1080350@bugs.debian.org

Package: openssh-server
Version: 1:9.8p1-4
Severity: normal

The PerSourceMaxStartups should limit the number of concurrent
unauthenticated connections coming from a single source. But in recent
versions, all further connections from the given address are refused
after the server has handled the configured PerSourceMaxStartups
connections from it. It worked the expected way in some past versions.

To reproduce:

# sponge /etc/ssh/sshd_config.d/bug-startups.conf <<< 'PerSourceMaxStartups 2'
# service ssh restart
$ ssh localhost true
$ ssh localhost true
$ ssh localhost true

Observe the third connection failing and 'beginning MaxStartups
throttling' being logged without any other concurrent connections from
the localhost at all.

-k

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.7.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-server depends on:
ii  adduser                    3.137
ii  debconf [debconf-2.0]      1.5.87
ii  init-system-helpers        1.66
ii  libaudit1                  1:3.1.2-4+b1
ii  libc6                      2.40-2
ii  libcom-err2                1.47.1-1
ii  libcrypt1                  1:4.4.36-5
ii  libgssapi-krb5-2           1.21.3-3
ii  libkrb5-3                  1.21.3-3
ii  libpam-modules             1.5.3-7
ii  libpam-runtime             1.5.3-7
ii  libpam0g                   1.5.3-7
ii  libselinux1                3.7-1+b1
ii  libssl3t64                 3.3.1-7
ii  libwrap0                   7.6.q-33
ii  lsb-base                   11.6
ii  openssh-client             1:9.8p1-4
ii  openssh-sftp-server        1:9.8p1-4
ii  procps                     2:4.0.4-5
ii  runit-helper               2.16.3
ii  sysvinit-utils [lsb-base]  3.10-1
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-server recommends:
pn  default-logind | logind | libpam-systemd  <none>
ii  ncurses-term                              6.5-2
ii  xauth                                     1:1.1.2-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.8.4
pn  monkeysphere  <none>
ii  ssh-askpass   1:1.2.4.1-16+b1
pn  ufw           <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: false

Reply to:

Next by Date: Processed: retitle 541776 to Mole: symbols.tester sometimes lose epoch in versions ...
Next by thread: Processed: retitle 541776 to Mole: symbols.tester sometimes lose epoch in versions ...
Index(es):
- Date
- Thread