Bug#1080350: openssh-server: refuses further connections after having handled PerSourceMaxStartups connections
Package: openssh-server
Version: 1:9.8p1-4
Severity: normal
The PerSourceMaxStartups should limit the number of concurrent
unauthenticated connections coming from a single source. But in recent
versions, all further connections from the given address are refused
after the server has handled the configured PerSourceMaxStartups
connections from it. It worked the expected way in some past versions.
To reproduce:
# sponge /etc/ssh/sshd_config.d/bug-startups.conf <<< 'PerSourceMaxStartups 2'
# service ssh restart
$ ssh localhost true
$ ssh localhost true
$ ssh localhost true
Observe the third connection failing and 'beginning MaxStartups
throttling' being logged without any other concurrent connections from
the localhost at all.
-k
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (900, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.7.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages openssh-server depends on:
ii adduser 3.137
ii debconf [debconf-2.0] 1.5.87
ii init-system-helpers 1.66
ii libaudit1 1:3.1.2-4+b1
ii libc6 2.40-2
ii libcom-err2 1.47.1-1
ii libcrypt1 1:4.4.36-5
ii libgssapi-krb5-2 1.21.3-3
ii libkrb5-3 1.21.3-3
ii libpam-modules 1.5.3-7
ii libpam-runtime 1.5.3-7
ii libpam0g 1.5.3-7
ii libselinux1 3.7-1+b1
ii libssl3t64 3.3.1-7
ii libwrap0 7.6.q-33
ii lsb-base 11.6
ii openssh-client 1:9.8p1-4
ii openssh-sftp-server 1:9.8p1-4
ii procps 2:4.0.4-5
ii runit-helper 2.16.3
ii sysvinit-utils [lsb-base] 3.10-1
ii ucf 3.0043+nmu1
ii zlib1g 1:1.3.dfsg+really1.3.1-1
Versions of packages openssh-server recommends:
pn default-logind | logind | libpam-systemd <none>
ii ncurses-term 6.5-2
ii xauth 1:1.1.2-1
Versions of packages openssh-server suggests:
ii molly-guard 0.8.4
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-16+b1
pn ufw <none>
-- Configuration Files:
/etc/ssh/moduli changed [not included]
-- debconf information:
openssh-server/permit-root-login: true
openssh-server/password-authentication: false
Reply to: