openssh bugs - Sep 2023 - [Bug 3612] New: sshd_config configuration options: MaxAuthTries and MaxSessions

https://bugzilla.mindrot.org/show_bug.cgi?id=3612

            Bug ID: 3612
           Summary: sshd_config configuration options: MaxAuthTries and
                    MaxSessions
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: ARM64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: maggiezhuooo at 163.com

1. changed MaxAuthTries to 7 (to allow for four password verifications
after none, publickey, and keyboard-interactive), but it didn't work, I
tried changing the option to a larger number, and the password
verification was still only three times.
    2. change MaxSessions to 2, I hope at the same time, only two
sessions can connect to sshd, I connected a linux board on the server,
in the board's sshd_config configure the item to 2. through the local
computer ssh connection to the server, and then through the ssh
connection to the board (the board is assigned a local ip address),
I've opened three terminal windows, and I can still connect to all of
them.
    How do I configure this to achieve my goal?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3612

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |WORKSFORME

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
(In reply to maggiezhuooo from comment #0)
> 1. changed MaxAuthTries to 7 (to allow for four password
> verifications after none, publickey, and keyboard-interactive), but
> it didn't work, I tried changing the option to a larger number, and
> the password verification was still only three times.
MaxAuthTries controls the number of attempts the server allows, but the
client has its own limit: NumberOfPasswordPrompts. You'll need to
adjust that too if you want more password attempts.
>     2. change MaxSessions to 2, I hope at the same time, only two
> sessions can connect to sshd, I connected a linux board on the
> server, in the board's sshd_config configure the item to 2. through
> the local computer ssh connection to the server, and then through
> the ssh connection to the board (the board is assigned a local ip
> address), I've opened three terminal windows, and I can still
> connect to all of them.
That's not what MaxSessions does. From the sshd_config manual page:
>   MaxSessions
>        Specifies the maximum number of open shell, login or subsystem
>        (e.g. sftp) sessions permitted *per network connection*.
This option doesn't control the total number of connections that can be
opened, but instead the number of sessions that can be multiplexed over
a each connection (e.g. using ssh's ControlMaster multiplexing).

To control the total number of active sessions you'd probably need to
look at pam_limits or similar. There is no option in sshd to do this.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3612

--- Comment #2 from maggiezhuooo at 163.com ---
(In reply to Damien Miller from comment #1)
> (In reply to maggiezhuooo from comment #0)
> > 1. changed MaxAuthTries to 7 (to allow for four password
> > verifications after none, publickey, and keyboard-interactive), but
> > it didn't work, I tried changing the option to a larger number,
and
> > the password verification was still only three times.
> 
> MaxAuthTries controls the number of attempts the server allows, but
> the client has its own limit: NumberOfPasswordPrompts. You'll need
> to adjust that too if you want more password attempts.
> 
> >     2. change MaxSessions to 2, I hope at the same time, only two
> > sessions can connect to sshd, I connected a linux board on the
> > server, in the board's sshd_config configure the item to 2.
through
> > the local computer ssh connection to the server, and then through
> > the ssh connection to the board (the board is assigned a local ip
> > address), I've opened three terminal windows, and I can still
> > connect to all of them.
> 
> That's not what MaxSessions does. From the sshd_config manual page:
> 
> >   MaxSessions
> >        Specifies the maximum number of open shell, login or subsystem
> >        (e.g. sftp) sessions permitted *per network connection*.
> 
> This option doesn't control the total number of connections that can
> be opened, but instead the number of sessions that can be
> multiplexed over a each connection (e.g. using ssh's ControlMaster
> multiplexing).
> 
> To control the total number of active sessions you'd probably need
> to look at pam_limits or similar. There is no option in sshd to do
> this.
Thanks for your reply!
    For question 1: I want the server side to be able to adapt to any
configuration of the client but I can't control that configuration in
sshd, do I need to modify the code? 
    For question 2:If I want to control the total number of active
sessions, I need to modify the system login module, which is not
directly determined by sshd?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.