olle ollesson
2005-Dec-01 17:03 UTC
Sending SSH_MSG_DISCONNECT before dropping connections
Hi.>From my understanding the MaxStartups option can be set to limit the numberof concurrent sessions the OpenSSH server opens. My concern is how OpenSSH handles the case where this number is reached.>From the code it looks like it simply closes the socket:sshd.c:1440 if (drop_connection(startups) == 1) { debug("drop connection #%d", startups); close(newsock); continue; } Why is there no disconnect message sent that explains to the client why the socket was closed?>From draft-ietf-secsh-transport-24.txt, chapter 11:---------------------------------------------------------- 11. Additional Messages Either party may send any of the following messages at any time. 11.1 Disconnection Message byte SSH_MSG_DISCONNECT uint32 reason code string description [RFC3629] string language tag [RFC3066] This message causes immediate termination of the connection. All implementations MUST be able to process this message; they SHOULD be able to send this message. The sender MUST NOT send or receive any data after this message, and the recipient MUST NOT accept any data after receiving this message. The Disconnection Message 'description' string gives a more specific explanation in a human-readable form. The Disconnection Message 'reason code' gives the reason in a more machine-readable format (suitable for localization), and can have the values as displayed in the table below. Note that the decimal representation is displayed in this table for readability but that the values are actually uint32 values. Symbolic name reason code ------------- ----------- SSH_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1 SSH_DISCONNECT_PROTOCOL_ERROR 2 SSH_DISCONNECT_KEY_EXCHANGE_FAILED 3 SSH_DISCONNECT_RESERVED 4 SSH_DISCONNECT_MAC_ERROR 5 SSH_DISCONNECT_COMPRESSION_ERROR 6 SSH_DISCONNECT_SERVICE_NOT_AVAILABLE 7 SSH_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8 SSH_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9 SSH_DISCONNECT_CONNECTION_LOST 10 SSH_DISCONNECT_BY_APPLICATION 11 SSH_DISCONNECT_TOO_MANY_CONNECTIONS 12 SSH_DISCONNECT_AUTH_CANCELLED_BY_USER 13 SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14 SSH_DISCONNECT_ILLEGAL_USER_NAME 15 ---------------------------------------------------------- If a SSH_DISCONNECT_TOO_MANY_CONNECTIONS disconnect message was to be sent before the connection is closed how far would the SSH connection setup need to go before this could be done? The draft says it can be sent at any time. Can we send it before the "Protocol Version Exchange"? Probably not. Before the Key Exchange? I'm not sure. Question is, how far would the ssh negotiation/connection setup need to go in order for the ssh server to refuse the connection in a more controlled way, that is sending the SSH_DISCONNECT_TOO_MANY_CONNECTIONS disconnect message, and still be compliant with the draft standard? Best Regards, Olle _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Reasonably Related Threads
- OpenSSH server doesn't log client disconnect without SSH_MSG_DISCONNECT
- OpenSSH server doesn't log client disconnect without SSH_MSG_DISCONNECT
- OpenSSH server doesn't log client disconnect without SSH_MSG_DISCONNECT
- OpenSSH server doesn't log client disconnect without SSH_MSG_DISCONNECT
- OpenSSH server doesn't log client disconnect without SSH_MSG_DISCONNECT