Menu
I want to limit the total number of ssh connections. I have gone through many sshd manuals. They just say that these two fields can be used MaxStartups: the max number of concurrent unauthenticated connections to the SSH daemon MaxSession: the max number of (multiplexed) open sessions permitted per TCP connection. What is the contribution of both in calculating the total number of ssh connections?
882
The question is quite old and might be better suited to serverfault but it never got an answer beyond citing the man page. My answer is to complement the details of the man page by adding some context.
First of all, it should be noted that both settings are independent of each other they address different stages of the SSH connection.
MaxSessions
SSH allows session multiplexing aka opening many sessions (e.g. a shell, an sftp transfer and a raw command) at the same time using just one TCP connection. This saves the overhead of multiple TCP handshakes and multiple SSH authentications. The parameter MaxSessions allows to restrict this multiplexing to a certain number of sessions.
If you set MaxSessions 1 and have a shell open, you can still run an SFTP transfer or open a second shell but in the background SSH will open another TCP connection and authenticate again. (Use password authentication to make this visible).
If you set MaxSessions 0 you can make sure no one can open a session (a shell, SFTP or similar) but you can still connect to open a tunnel or ssh into the next host.
Checkout the ControlMaster section of ssh_config(5).
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
When you connect to the remote SSH server, there is a time window between establishing the connection and successful authentication. This time frame can be very small, e.g. when you configure your SSH client to use a certain private key for this connection, or it can be long, when the client first tries three different SSH keys, aks you to enter a password and then waits for you to enter a 2nd factor auth code you get via text message. The sum of connections that are in this time frame at the same time are the "concurrent unauthenticated connections" mentioned on the man page cited. If there are too many of connections in this state, sshd stops accepting new ones. You can tweak MaxStartups to change when this happens.
A real world use case for changing the default is for example a jump host that is used by provisioning software like ansible. When asked to provision a lot of hosts behind the jump host, Ansible opens up many connections at the same time so it might run into this limit if connections are opened quicker than the SSH host is able to authenticate them.
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
