I am now testing the following (which includes a little documentation for a new "MaxClients"):
Index: servconf.c =================================================================== RCS file: /cvs/openssh/servconf.c,v retrieving revision 1.163 diff -u -r1.163 servconf.c --- servconf.c 20 May 2007 05:03:16 -0000 1.163 +++ servconf.c 16 Oct 2007 16:50:46 -0000 @@ -108,6 +108,7 @@ options->protocol = SSH_PROTO_UNKNOWN; options->gateway_ports = -1; options->num_subsystems = 0; + options->max_clients = -1; options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; @@ -224,6 +225,8 @@ options->allow_tcp_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; + if (options->max_clients == -1) + options->max_clients = 1000; if (options->max_startups == -1) options->max_startups = 10; if (options->max_startups_rate == -1) @@ -286,7 +289,7 @@ sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, - sMaxStartups, sMaxAuthTries, + sMaxClients, sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -387,6 +390,7 @@ { "protocol", sProtocol, SSHCFG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, + { "maxclients", sMaxClients, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, { "banner", sBanner, SSHCFG_ALL }, @@ -1115,6 +1119,10 @@ options->subsystem_args[options->num_subsystems] = p; options->num_subsystems++; break; + + case sMaxClients: + intptr = &options->max_clients; + goto parse_int; case sMaxStartups: arg = strdelim(&cp); Index: servconf.h =================================================================== RCS file: /cvs/openssh/servconf.h,v retrieving revision 1.72 diff -u -r1.72 servconf.h --- servconf.h 19 Feb 2007 11:25:38 -0000 1.72 +++ servconf.h 16 Oct 2007 16:50:46 -0000 @@ -115,6 +115,7 @@ u_int num_accept_env; char *accept_env[MAX_ACCEPT_ENV]; + int max_clients; int max_startups_begin; int max_startups_rate; int max_startups; Index: sshd.c =================================================================== RCS file: /cvs/openssh/sshd.c,v retrieving revision 1.364 diff -u -r1.364 sshd.c --- sshd.c 5 Jun 2007 08:22:32 -0000 1.364 +++ sshd.c 16 Oct 2007 16:50:47 -0000 @@ -181,6 +181,11 @@ int num_listen_socks = 0; /* + * Keep track of number of clients for MaxClients. + */ +int num_clients = 0; + +/* * the client's version string, passed by sshd2 in compat mode. if != NULL, * sshd will skip the version-number exchange */ @@ -338,6 +343,8 @@ (pid < 0 && errno == EINTR)) ; + num_clients--; + signal(SIGCHLD, main_sigchld_handler); errno = save_errno; } @@ -1092,6 +1099,11 @@ close(*newsock); continue; } + if (num_clients >= options.max_clients) { + debug("max clients %d", num_clients); + close(*newsock); + continue; + } if (drop_connection(startups) == 1) { debug("drop connection #%d", startups); close(*newsock); @@ -1185,6 +1197,8 @@ debug("Forked child %ld.", (long)pid); close(startup_p[1]); + + num_clients++; if (rexec_flag) { send_rexec_state(config_s[0], &cfg); Index: sshd_config =================================================================== RCS file: /cvs/openssh/sshd_config,v retrieving revision 1.78 diff -u -r1.78 sshd_config --- sshd_config 17 Sep 2007 01:57:38 -0000 1.78 +++ sshd_config 16 Oct 2007 16:50:47 -0000 @@ -100,6 +100,7 @@ #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid +#MaxClients 1000 #MaxStartups 10 #PermitTunnel no Index: sshd_config.5 =================================================================== RCS file: /cvs/openssh/sshd_config.5,v retrieving revision 1.84 diff -u -r1.84 sshd_config.5 --- sshd_config.5 17 Sep 2007 01:57:38 -0000 1.84 +++ sshd_config.5 16 Oct 2007 16:50:47 -0000 @@ -536,6 +536,11 @@ Once the number of failures reaches half this value, additional failures are logged. The default is 6. +.It Cm MaxClients +Specifies the maximum number of concurrent connections to the +SSH daemon. +The default is 1000. +.Pp .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.