Bug#1080350: openssh-server: refuses further connections after having handled PerSourceMaxStartups connections

Mon, 02 Sep 2024 10:09:12 -0700 

Package: openssh-server
Version: 1:9.8p1-4
Severity: normal

The PerSourceMaxStartups should limit the number of concurrent
unauthenticated connections coming from a single source. But in recent
versions, all further connections from the given address are refused
after the server has handled the configured PerSourceMaxStartups
connections from it. It worked the expected way in some past versions.

To reproduce:

# sponge /etc/ssh/sshd_config.d/bug-startups.conf <<< 'PerSourceMaxStartups 2'
# service ssh restart
$ ssh localhost true
$ ssh localhost true
$ ssh localhost true

Observe the third connection failing and 'beginning MaxStartups
throttling' being logged without any other concurrent connections from
the localhost at all.

-k

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.7.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-server depends on:
ii  adduser                    3.137
ii  debconf [debconf-2.0]      1.5.87
ii  init-system-helpers        1.66
ii  libaudit1                  1:3.1.2-4+b1
ii  libc6                      2.40-2
ii  libcom-err2                1.47.1-1
ii  libcrypt1                  1:4.4.36-5
ii  libgssapi-krb5-2           1.21.3-3
ii  libkrb5-3                  1.21.3-3
ii  libpam-modules             1.5.3-7
ii  libpam-runtime             1.5.3-7
ii  libpam0g                   1.5.3-7
ii  libselinux1                3.7-1+b1
ii  libssl3t64                 3.3.1-7
ii  libwrap0                   7.6.q-33
ii  lsb-base                   11.6
ii  openssh-client             1:9.8p1-4
ii  openssh-sftp-server        1:9.8p1-4
ii  procps                     2:4.0.4-5
ii  runit-helper               2.16.3
ii  sysvinit-utils [lsb-base]  3.10-1
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.3.dfsg+really1.3.1-1

Versions of packages openssh-server recommends:
pn  default-logind | logind | libpam-systemd  <none>
ii  ncurses-term                              6.5-2
ii  xauth                                     1:1.1.2-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.8.4
pn  monkeysphere  <none>
ii  ssh-askpass   1:1.2.4.1-16+b1
pn  ufw           <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: false

Reply via email to