Re: Max clients of OpenSSH

Tue, 16 Oct 2007 10:14:07 -0700 

I am now testing the following (which includes a little documentation for 
a new "MaxClients"):

Index: servconf.c
===================================================================
RCS file: /cvs/openssh/servconf.c,v
retrieving revision 1.163
diff -u -r1.163 servconf.c
--- servconf.c  20 May 2007 05:03:16 -0000      1.163
+++ servconf.c  16 Oct 2007 16:50:46 -0000
@@ -108,6 +108,7 @@
        options->protocol = SSH_PROTO_UNKNOWN;
        options->gateway_ports = -1;
        options->num_subsystems = 0;
+       options->max_clients = -1;
        options->max_startups_begin = -1;
        options->max_startups_rate = -1;
        options->max_startups = -1;
@@ -224,6 +225,8 @@
                options->allow_tcp_forwarding = 1;
        if (options->gateway_ports == -1)
                options->gateway_ports = 0;
+       if (options->max_clients == -1)
+               options->max_clients = 1000;
        if (options->max_startups == -1)
                options->max_startups = 10;
        if (options->max_startups_rate == -1)
@@ -286,7 +289,7 @@
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
-       sMaxStartups, sMaxAuthTries,
+       sMaxClients, sMaxStartups, sMaxAuthTries,
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -387,6 +390,7 @@
        { "protocol", sProtocol, SSHCFG_GLOBAL },
        { "gatewayports", sGatewayPorts, SSHCFG_ALL },
        { "subsystem", sSubsystem, SSHCFG_GLOBAL },
+       { "maxclients", sMaxClients, SSHCFG_GLOBAL },
        { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
        { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
        { "banner", sBanner, SSHCFG_ALL },
@@ -1115,6 +1119,10 @@
                options->subsystem_args[options->num_subsystems] = p;
                options->num_subsystems++;
                break;
+
+       case sMaxClients:
+               intptr = &options->max_clients;
+               goto parse_int;
 
        case sMaxStartups:
                arg = strdelim(&cp);
Index: servconf.h
===================================================================
RCS file: /cvs/openssh/servconf.h,v
retrieving revision 1.72
diff -u -r1.72 servconf.h
--- servconf.h  19 Feb 2007 11:25:38 -0000      1.72
+++ servconf.h  16 Oct 2007 16:50:46 -0000
@@ -115,6 +115,7 @@
        u_int num_accept_env;
        char   *accept_env[MAX_ACCEPT_ENV];
 
+       int     max_clients;
        int     max_startups_begin;
        int     max_startups_rate;
        int     max_startups;
Index: sshd.c
===================================================================
RCS file: /cvs/openssh/sshd.c,v
retrieving revision 1.364
diff -u -r1.364 sshd.c
--- sshd.c      5 Jun 2007 08:22:32 -0000       1.364
+++ sshd.c      16 Oct 2007 16:50:47 -0000
@@ -181,6 +181,11 @@
 int num_listen_socks = 0;
 
 /*
+ * Keep track of number of clients for MaxClients.
+ */
+int num_clients = 0;
+
+/*
  * the client's version string, passed by sshd2 in compat mode. if != NULL,
  * sshd will skip the version-number exchange
  */
@@ -338,6 +343,8 @@
            (pid < 0 && errno == EINTR))
                ;
 
+       num_clients--;
+
        signal(SIGCHLD, main_sigchld_handler);
        errno = save_errno;
 }
@@ -1092,6 +1099,11 @@
                                close(*newsock);
                                continue;
                        }
+                       if (num_clients >= options.max_clients) {
+                               debug("max clients %d", num_clients);
+                               close(*newsock);
+                               continue;
+                       }
                        if (drop_connection(startups) == 1) {
                                debug("drop connection #%d", startups);
                                close(*newsock);
@@ -1185,6 +1197,8 @@
                                debug("Forked child %ld.", (long)pid);
 
                        close(startup_p[1]);
+
+                       num_clients++;
 
                        if (rexec_flag) {
                                send_rexec_state(config_s[0], &cfg);
Index: sshd_config
===================================================================
RCS file: /cvs/openssh/sshd_config,v
retrieving revision 1.78
diff -u -r1.78 sshd_config
--- sshd_config 17 Sep 2007 01:57:38 -0000      1.78
+++ sshd_config 16 Oct 2007 16:50:47 -0000
@@ -100,6 +100,7 @@
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
+#MaxClients 1000
 #MaxStartups 10
 #PermitTunnel no
 
Index: sshd_config.5
===================================================================
RCS file: /cvs/openssh/sshd_config.5,v
retrieving revision 1.84
diff -u -r1.84 sshd_config.5
--- sshd_config.5       17 Sep 2007 01:57:38 -0000      1.84
+++ sshd_config.5       16 Oct 2007 16:50:47 -0000
@@ -536,6 +536,11 @@
 Once the number of failures reaches half this value,
 additional failures are logged.
 The default is 6.
+.It Cm MaxClients
+Specifies the maximum number of concurrent connections to the
+SSH daemon.
+The default is 1000.
+.Pp
 .It Cm MaxStartups
 Specifies the maximum number of concurrent unauthenticated connections to the
 SSH daemon.

Reply via email to