Details
-
Story
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
Watchers
-
Minor
-
sst_security_crypto
-
ssg_security
-
False
-
-
Unspecified
-
If docs needed, set a value
-
Unspecified
Description
Description of problem:
[RFE] better document MaxStartups explaining behavior using a single value instead of three colon separated values
Version-Release number of selected component (if applicable):
any version
How reproducible:
always
Steps to Reproduce:
1. - Set 'MaxStartups 10' in /etc/ssh/sshd_config
2. - restart sshd
3. - man 5 sshd_config
Actual results:
MaxStartups is accepted.
From 'man 5 sshd_config',
MaxStartups
Specifies the maximum number of concurrent unau‐
thenticated connections to the SSH daemon. Addi‐
tional connections will be dropped until authenti‐
cation succeeds or the LoginGraceTime expires for
a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by
specifying the three colon separated values
start:rate:full (e.g. "10:30:60"). sshd(8) will
refuse connection attempts with a probability of
rate/100 (30%) if there are currently start (10)
unauthenticated connections. The probability in‐
creases linearly and all connection attempts are
refused if the number of unauthenticated connec‐
tions reaches full (60).
Expected results:
Detailed explanation on one value setting and/or example using it.
Additional info:
#/source/RHEL8/RHEL8.8/openssh/openssh-8.0p1-17/openssh-8.0p1#]
[servconf.c]
80:initialize_server_options(ServerOptions *options)
81-{
82- memset(options, 0, sizeof(*options));
83-
84- /* Portable-specific options */
85- options->use_pam = -1;
86-
87- /* Standard Options */
[..]
153- options->max_startups_begin = -1;
154- options->max_startups_rate = -1;
155- options->max_startups = -1;
[..]
1212 int
1213 process_server_config_line(ServerOptions *options, char *line,
1214 const char *filename, int linenum, int *activep,
1215 struct connection_info *connectinfo)
1216 {
[..]
1266: switch (opcode) {
[..]
1784: case sMaxStartups:
1785- arg = strdelim(&cp);
1786- if (!arg || *arg == '\0')
1787- fatal("%s line %d: Missing MaxStartups spec.",
1788- filename, linenum);
1789- if ((n = sscanf(arg, "%d:%d:%d",
1790- &options->max_startups_begin,
1791- &options->max_startups_rate,
1792- &options->max_startups)) == 3)
else if (n != 1)
1800- fatal("%s line %d: Illegal MaxStartups spec.",
1801- filename, linenum);
1802- else
1803- options->max_startups = options->max_startups_begin;
1804- break;
There if you set "MaxStartups 10" is the same as setting "MaxStartups 10:-1:10"
The additional details in MaxStartups documentation aims to provide better understanding of this setting to both users and security profile makers.
If only one value setting is set, security profiles as CIS (evaluated with oscap) fails claiming that requires the three colon separated values. (already opened a bugzilla there as well)
Juan Gamba
