无法限制并发 ssh 会话

无法限制并发 ssh 会话

目前,我遇到了一个问题dropbear。我已将并发 ssh 会话的最大数量设置为 10,但我仍然可以设置ssh第 11 个会话。您能让我知道我做错了什么吗?

cat /proc/sys/kernel/pty/max
10

我使用的是64位平台。

答案1

SSH 服务器可以通过MaxSessions配置文件中的选项施加此类限制。然而,根据SSH 人

MaxSessions
     Specifies the maximum number of open shell, login or subsystem
     (e.g. sftp) sessions permitted per network connection.  Multiple
     sessions may be established by clients that support connection
     multiplexing.  Setting MaxSessions to 1 will effectively disable
     session multiplexing, whereas setting it to 0 will prevent all
     shell, login and subsystem sessions while still permitting for-
     warding.  The default is 10.

 MaxStartups
     Specifies the maximum number of **concurrent   unauthenticated con-
     nections to the SSH daemon.**  Additional connections will be
     dropped until authentication succeeds or the LoginGraceTime
     expires for a connection.  The default is 10:30:100.

     Alternatively, random early drop can be enabled by specifying the
     three colon separated values ``start:rate:full'' (e.g.
     "10:30:60").  sshd(8) will refuse connection attempts with a
     probability of ``rate/100'' (30%) if there are currently
     ``start'' (10) unauthenticated connections.  The probability
     increases linearly and all connection attempts are refused if the
     number of unauthenticated connections reaches ``full'' (60).

Dropbear在客户端和服务器中实现完整的 SSH 版本 2 协议。所以,我相信你应该运行这样的命令:

ssh  stream  tcp  nowait/3  root  /usr/sbin/sshd  sshd -i -4

这会将并发 ssh 连接数限制为 3。根据需要进行调整。

答案2

根据数小时的实验,Dropbear 不会通过 PAM 通过用户会话进行注册,因此为 dropbear 应用程序添加任何类型为会话的规则是没有意义的。不过我用 sshd 是成功的。此外,我还发现了其他人指出这一点的链接。

https://github.com/mkj/dropbear/issues/132

相关内容