我想限制ssh连接的总数。我已经看过许多sshd手册。他们只是说可以使用MaxStartups这两个字段:到SSH守护进程的并发未经身份验证的连接的最大数量MaxSession:每个TCP连接允许的(复用)打开会话的最大数量。两者在计算ssh连接总数方面有什么贡献?
wed*_*edi 11
这个问题已经很老了,可能更适合 serverfault,但除了引用手册页之外,它从未得到答案。我的回答是通过添加一些上下文来补充手册页的细节。
首先,应该注意的是,这两个设置是相互独立的,它们针对 SSH 连接的不同阶段。
最大会话数
SSH 允许会话多路复用,即仅使用一个 TCP 连接同时打开多个会话(例如,shell、sftp 传输和原始命令)。这节省了多次 TCP 握手和多次 SSH 身份验证的开销。该参数MaxSessions允许将此多路复用限制为一定数量的会话。
如果您设置MaxSessions 1并打开了一个 shell,您仍然可以运行 SFTP 传输或打开第二个 shell,但在后台 SSH 将打开另一个 TCP 连接并再次进行身份验证。(使用密码身份验证使其可见)。
如果您设置,MaxSessions 0您可以确保没有人可以打开会话(shell、SFTP 或类似的),但您仍然可以连接以打开隧道或 ssh 到下一个主机。
签出 ControlMaster 部分ssh_config(5)。
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
最大初创公司
当您连接到远程 SSH 服务器时,在建立连接和成功验证之间有一个时间窗口。此时间范围可能非常小,例如,当您将 SSH 客户端配置为使用某个私钥进行此连接时,或者可能很长,当客户端首先尝试三个不同的 SSH 密钥时,要求您输入密码然后等待让您输入通过短信获得的第二个因素身份验证代码。同时在此时间范围内的连接总数是引用的手册页中提到的“并发未经身份验证的连接”。如果处于这种状态的连接过多,sshd 将停止接受新的连接。MaxStartups发生这种情况时,您可以进行调整以进行更改。
例如,更改默认值的真实用例是由 ansible 等配置软件使用的跳转主机。当要求在跳转主机后面配置大量主机时,Ansible 会同时打开许多连接,因此如果打开连接的速度比 SSH 主机能够对其进行身份验证的速度快,它可能会遇到此限制。
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
| 归档时间: |
|
| 查看次数: |
11127 次 |
| 最近记录: |