我想限制ssh连接的总数。我已经阅读了很多sshd手册。他们只是说可以使用这两个字段 MaxStartups:SSH守护程序的最大并发未经身份验证的连接数 MaxSession:每个TCP连接允许的最大(多路复用)打开会话数。 两者在计算ssh连接总数方面的贡献是什么?
答案 0 :(得分:4)
这个问题已经很老了,可能更适合于serverfault,但是除了引用手册页之外,没有其他答案。我的答案是通过添加一些上下文来补充手册页的详细信息。
首先,应该注意的是,这两个设置彼此独立,它们分别处理SSH连接的不同阶段。
MaxSessions
SSH允许会话多路复用,也就是仅使用一个TCP连接即可同时打开多个会话(例如shell,sftp传输和原始命令)。这样可以节省多个TCP握手和多个SSH身份验证的开销。参数MaxSessions允许将此多路复用限制为一定数量的会话。
如果设置MaxSessions 1并打开了外壳程序,则仍然可以运行SFTP传输或打开第二个外壳程序,但是在后台SSH将打开另一个TCP连接并再次进行身份验证。 (使用密码身份验证使其可见)。
如果设置了MaxSessions 0,则可以确保没有人可以打开会话(shell,SFTP或类似的会话),但仍然可以连接以打开隧道或ssh进入下一个主机。
检出ssh_config(5)的ControlMaster部分。
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
连接到远程SSH服务器时,在建立连接和成功身份验证之间会有一个时间窗口。此时间范围可能非常小,例如当您配置SSH客户端以使用某个私钥进行此连接时,或者它可能很长时,当客户端首先尝试使用三个不同的SSH密钥时,会要求您输入密码,然后等待您输入第二个身份验证码您通过短信获得。同时在此时间范围内的连接总数是引用的手册页上提到的“并发未经身份验证的连接”。如果在此状态下连接过多,则sshd停止接受新连接。您可以在发生这种情况时调整MaxStartups进行更改。
现实世界中用于更改默认值的用例是例如由ansible设置软件使用的跳转主机。当被要求在跳转主机后面提供大量主机时,Ansible同时打开许多连接,因此,如果打开连接的速度比SSH主机能够对其进行身份验证的速度快,则Ansible可能会遇到此限制。
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
答案 1 :(得分:3)
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).