[ssh_x509] Is it possible to limit maximum number of clients?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Apr 25 19:31:22 EEST 2020

Hi José ,

ssh_x509 at roumenpetrov.info wrote:
> C2 - PSA Sensitive
> I am trying to limit the number of total OpenSSH connections to our Unix systems.

If seems to me request is more complex, i.e. to limit "network connections",  "sessions" and with disabled forwarding.

> At first, I have tried modifying OpenSSH configuration with `MaxSessions` and `MaxStartups` options but with no success. They are ignored (maybe I don't really understand what this options are intended to).

* https://securebox.termoneplus.com/man5/sshd_config.5.html#MaxSessions

So let run daemon with ... "-o MaxSessions=1.." (p1).

Let client connect with login session using multiplexing (p2):
$ ssh ... -o ControlPath=~/.ssh/ctrl-%L.sock -o ControlMaster=ask ...

( see https://securebox.termoneplus.com/man5/ssh_config.5.html#ControlMaster )

Let try to open new login session using multiplexing (p3):
ssh ... -o ControlPath=~/.ssh/ctrl-%L.sock ...

According documentation "if the |ControlPath| cannot be opened, ssh(1) will continue without connecting to a master instance."
As result of above configuration on client side you will see two network connections (check with netstat or similar).
Also on client side you will see that opening of multiplexing session fail and client continues with normal connection. You could be prompted for password if connection does not use keys stored in agent. On server side you should see key exchange and etc.

As next step let set MaxSessions=2 and to repeat above. On second connection at point 3 client will prompt and on positive answer you will be connected reusing connection. No password prompt , netstat, will show only one connection, server will not log KEX and etc.

So MaxSessions=1 to prevent session multiplexing.

* https://securebox.termoneplus.com/man5/sshd_config.5.html#MaxStartups

Let me quote "Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."

Now let run daemon with ... -o MaxStartups=1:100:2 -o LoginGraceTime=10 ... and on client side to run ssh-keyscan .
Expected is to see "Connection closed by remote host" 15 times, one line for algorithm and perhaps host key for that algorithm.
Remark: PKIX-SSH support 16 key algorithms, "plain" or with X.509 certificate. By default ssh-keyscan scan for each of them.
With this test only one ssh-keyscan connection is unauthenticated and for other daemon "...refuse connection attempts with a probability of rate/100 (100%)...".

So MaxStartups is not useful to limit connection or sessions.

> Using PAM limits in `/etc/security/limits.conf` I have succeed with `maxsyslogins` directive:
> ```
> # limit connections to the system to 10
> *    -    maxsyslogins    10
> ```
> It works, but we are limiting all kind of logins to the system, and using a third party solution to apply limitations to OpenSSH. By example, we have different kind of Unix (HP-UX, Solaris, Linux, AIX) and in not every server we are using PAM for authentication.
> I mean, does it exists a simpler and more direct way to do it? Something similar to Apache `MaxClients` directive?

MaxRequestWorkers (new name) of directive - "Maximum number of connections that will be processed simultaneously".
This is mostly related to threads, pools ,child servers and etc. used to serve clients and more or less could be calculated based on hardware. Changes of this option requires adjustment of other options.

This options does not contradict with firewall settings. From my point of view directive is to control work-load not to restrict clients.

DNS, and some other servers could implement connection limit as work-load per connection is similar. It seems to me HTTP servers fail into this category.

> I don't find it and it's very strange for me that OpenSSH/PKIX-SSH does not have this possibility :-|.

For a ssh session I have no idea how to calculate work-load. Unlike other servers work-load depend from business needs. What are programs that client run, resources used by those programs and etc? Depending on this on and the same hardware session limit could be different.

 From this point of view I'm not interesting to enhance functionality with connection limits.

Network connection limits are more in subject of firewall settings. Firewall is more suitable program to restrict network settings.
 From my point of view firewall is required on servers that offer remote access/login (ssh session). And so restriction of connections is duplication of functionality.

Please see another email to this thread that point how to use iptables for this part.

> ---
> José Manuel Ciges Regueiro
> Unix Systems Administrator & LAMP developer
> Tel: +34 608 57.05.06
> Skype:  jmciges
> Email:  jmanuel at ciges.net

Roumen Petrov

More information about the ssh_x509 mailing list