hi, yeah, i noted this to the ssh development team in march, 1999. this was under version 1.2.26, and then 1.2.27 came out and there was no fix for it. i didn't BUGTRAQ it as i find such info without a real fix to be irresponsible. my coding sucks and i haven't been able to get my MaxClients parameter to work in sshd. this would then be analogous to that found in the apache web server. my incomplete code diffs are available to anyone who wants to make it work, i get errors when it forks the child process to handle the socket. an alternative i use on my servers is to install xinetd and load sshd into xinetd. instances control in xinetd take care of that issue. similar inetd replacements which have instances control would also work. be sure to use the "-i" flag since it's no longer standalone. a working xinetd config for it would look like: service ssh { socket_type = stream protocol = tcp wait = no user = root server = /usr/local/sbin/sshd server_args = -i instances = 10 } <rant> this is pretty irresponsible of ssh's development team to leave such an obvious point of trouble in their code long before i even mentioned it to them. the apache team noted in their configuration comments why they have a MaxClients type of parameter, to prevent resource exhaustion of a standalone daemon. sshd is reccomended to be run as standalone, and installs by default as standalone, their lack of observation of this parameter is stunning. i just didn't want to be party to this irresponsibility and post a DoS that could affect a $#@%load of machines without some real code fix. an %$@#load of admins use sshd on their machines for secure WAN connectivity and are vulnerable to this annoying DoS. </rant> sincerely, jose nazario joseat_private PGP 2.6.2 key fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:39 PDT