sshd_config中最大启动和最大会话的区别
我想限制ssh连接的总数。我已经看过很多sshd手册了。他们只是说这两个字段可以用于MaxStartups:到SSH守护进程MaxSession的并发未经身份验证的连接的最大数量:每个TCP连接允许的(多路传输的)打开会话的最大数量。在计算ssh连接总数时,两者的贡献是什么?
回答 2
Stack Overflow用户
发布于 2020-07-30 21:15:10
这个问题很老了,可能更适合于serverfault,但除了引用手册页之外,它从未得到过答案。我的答案是通过添加一些上下文来补充手册页的细节。
首先,应该注意,这两个设置彼此独立,它们处理SSH连接的不同阶段。
MaxSessions
SSH允许使用一个TCP连接同时打开多个会话(例如shell、sftp传输和原始命令)。这节省了多次TCP握手和多次SSH身份验证的开销。参数MaxSessions允许将此多路复用限制为一定数量的会话。
如果设置了MaxSessions 1并打开了一个外壳,您仍然可以运行SFTP传输或打开第二个外壳,但在后台,SSH将打开另一个TCP连接并再次进行身份验证。(使用密码身份验证使其可见)。
如果您设置了MaxSessions 0,您可以确保没有人可以打开会话( shell、SFTP或类似的),但您仍然可以连接以打开隧道或ssh到下一台主机。
查看ssh_config(5)的ControlMaster部分。
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.MaxStartups
当您连接到远程SSH服务器时,在建立连接和成功进行身份验证之间有一个时间窗口。这段时间可以很短,例如,当您将SSH客户端配置为使用某个私钥进行此连接时,也可以很长,当客户端首先尝试三个不同的SSH密钥时,提示您输入密码,然后等待您输入通过文本消息获得的第二因素验证码。同时在此时间范围内的连接总数是在引用的手册页上提到的“并发未经身份验证的连接”。如果有太多的连接处于这种状态,sshd将停止接受新的连接。当这种情况发生时,您可以调整MaxStartups以进行更改。
更改缺省值的现实世界用例是,例如,由ansible等供应软件使用的跳转主机。当被要求在跳转主机后面配置大量主机时,Ansible会同时打开许多连接,因此如果打开连接的速度快于SSH主机能够对其进行身份验证的速度,Ansible可能会遇到此限制。
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).Stack Overflow用户
发布于 2017-05-05 17:59:16
MaxSessions
Specifies the maximum number of open shell, login or subsystem
(e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection
multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all
shell, login and subsystem sessions while still permitting for-
warding. The default is 10.
MaxStartups
Specifies the maximum number of **concurrent unauthenticated con-
nections to the SSH daemon.** Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).https://stackoverflow.com/questions/31114690
复制相似问题
腾讯云开发者
