openssh bugs - Jul 2024 - [Bug 3709] New: PerSourceMaxStartups no longer works as advertised

https://bugzilla.mindrot.org/show_bug.cgi?id=3709

            Bug ID: 3709
           Summary: PerSourceMaxStartups no longer works as advertised
           Product: Portable OpenSSH
           Version: 9.8p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: hans at anargy.com

According to the manpage, PerSourceMaxStartups specifies the number of
unauthenticated connections allowed from a given source address.

If this is set at a number, for example 3, it should be possible to
open multiple authenticated sessions, one after another. Until version
9.7p1 this was possible. But set at for example 3, it is not possible
to open more than three sessions, with the message in the log that new
sessions are being dropped.

What is worse, if all these sessions are disconnected again, it is not
possible at all to log in for a number of minutes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3709

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I can't reproduce this. Could you please include logs from sshd
refusing connections?

It's possible that you're seeing the effects of the new
PerSourcePenalties option:
https://man.openbsd.org/sshd_config#PerSourcePenalties

Depending on your environment, you might need to adjust its
threshold/timeouts or disable it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3709

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Closing for lack of response. If you can provide the requested
information then please reopen.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3709

bsn at novem.io changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bsn at novem.io

--- Comment #3 from bsn at novem.io ---
I got rabbit-holed on this issue, but it looks like it was fixed in 

```
upstream: Fix mistracking of MaxStartups process exits in some
situations. At worst, this can cause all MaxStartups slots to fill and
sshd
to refuse new connections.

Diagnosis by xnor; ok dtucker@

OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d
```

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.