我想限制ssh连接的总数。我看过很多sshd手册。他们只是说这两个字段可以使用MaxStartups:到SSH守护进程的未经身份验证的并发连接的最大数量MaxSession:每个TCP连接允许的最大(多路复用)打开会话数。两者在计算ssh连接总数方面的贡献是什么?
这个问题很老,可能更适合serverfault,但除了引用手册页之外,它从未得到答案。我的答案是通过添加一些上下文来补充手册页的细节。
首先,应该注意的是,这两种设置彼此独立——它们处理SSH连接的不同阶段。
最大会话
SSH允许使用一个TCP连接同时进行会话复用,也就是打开多个会话(例如shell、sftp传输和原始命令)。这节省了多次TCP握手和多次SSH身份验证的开销。参数MaxSessions允许将这种多路复用限制为特定数量的会话
如果您设置了MaxSessions 1并打开了一个shell,您仍然可以运行SFTP传输或打开第二个shell,但在后台SSH将打开另一个TCP连接并再次进行身份验证。(使用密码身份验证使其可见)
如果您设置了MaxSessions 0,您可以确保没有人可以打开会话(shell、SFTP或类似的会话),但您仍然可以连接以打开通往下一台主机的隧道或ssh
检查ssh_config(5)的ControlMaster部分。
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
当您连接到远程SSH服务器时,在建立连接和成功身份验证之间有一个时间窗口。这个时间框架可能很小,例如,当您将SSH客户端配置为使用某个私钥进行此连接时,或者当客户端首先尝试三个不同的SSH密钥时,它可能很长,要求您输入密码,然后等待您输入通过短信获得的第二因素身份验证码。同时在该时间帧中的连接的总和是"0";并发未经验证的连接";在引用的手册页中提到。如果在这种状态下有太多的连接,sshd将停止接受新的连接。发生这种情况时,可以调整MaxStartups进行更改
例如,更改默认值的真实用例是ansible等供应软件使用的跳转主机。当被要求在跳转主机后面提供大量主机时,Ansible会同时打开许多连接,因此如果打开连接的速度快于SSH主机对其进行身份验证的速度,则可能会达到此限制。
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).