Bug#1080350: openssh-server: refuses further connections after having handled PerSourceMaxStartups connections
severity 1080350 important
thanks
On Wed, Jul 23, 2025 at 09:54:34AM +0200, Steinar H. Gunderson wrote:
> I'm wondering if there's something generally broken with MaxStartups
> in trixie, beyond this; I upgraded from bookworm, and since then I've had
> generally very spotty MaxStartups behavior. I never needed to change
> MaxStartups before, but now, my backup and Nagios runs keep failing
> all the time, with things like:
>
> Jul 23 04:36:07 pannekake.samfundet.no sshd[10555]: drop connection #1 from
> [2a02:20c8:2640::b2ff:97a7]:39984 on [2001:67c:29f4::50]:22 Maxstartups
Adding some debug logs, it seems that the problem is indeed
PerSourceMaxStartups. It seems that the list of children[] isn't properly
cleaned up (perhaps srclimit_done() not being called correctly?), which
makes the server think there are 10 connections for a given IP
(I have PerSourceMaxStartups. 10), even though there's not even that number
of connections total (see “drop connection #1”, i.e., this is the second
global connection).
This is going to cause pretty widespread and hard-to-debug breakage,
so I'm upgrading this to important.
/* Steinar */
--
Homepage: https://www.sesse.net/
Reply to: