[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1080350: openssh-server: refuses further connections after having handled PerSourceMaxStartups connections



Package: openssh-server
Version: 1:9.8p1-4
Severity: normal

The PerSourceMaxStartups should limit the number of concurrent
unauthenticated connections coming from a single source. But in recent
versions, all further connections from the given address are refused
after the server has handled the configured PerSourceMaxStartups
connections from it. It worked the expected way in some past versions.

To reproduce:

# sponge /etc/ssh/sshd_config.d/bug-startups.conf <<< 'PerSourceMaxStartups 2'
# service ssh restart
$ ssh localhost true
$ ssh localhost true
$ ssh localhost true

Observe the third connection failing and 'beginning MaxStartups
throttling' being logged without any other concurrent connections from
the localhost at all.

-k

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.7.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-server depends on:
ii  adduser                    3.137
ii  debconf [debconf-2.0]      1.5.87
ii  init-system-helpers        1.66
ii  libaudit1                  1:3.1.2-4+b1
ii  libc6                      2.40-2
ii  libcom-err2                1.47.1-1
ii  libcrypt1                  1:4.4.36-5
ii  libgssapi-krb5-2           1.21.3-3
ii  libkrb5-3                  1.21.3-3
ii  libpam-modules             1.5.3-7
ii  libpam-runtime             1.5.3-7
ii  libpam0g                   1.5.3-7
ii  libselinux1                3.7-1+b1
ii  libssl3t64                 3.3.1-7
ii  libwrap0                   7.6.q-33
ii  lsb-base                   11.6
ii  openssh-client             1:9.8p1-4
ii  openssh-sftp-server        1:9.8p1-4
ii  procps                     2:4.0.4-5
ii  runit-helper               2.16.3
ii  sysvinit-utils [lsb-base]  3.10-1
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-server recommends:
pn  default-logind | logind | libpam-systemd  <none>
ii  ncurses-term                              6.5-2
ii  xauth                                     1:1.1.2-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.8.4
pn  monkeysphere  <none>
ii  ssh-askpass   1:1.2.4.1-16+b1
pn  ufw           <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: false


Reply to: