hi,
yeah, i noted this to the ssh development team in march, 1999. this was
under version 1.2.26, and then 1.2.27 came out and there was no fix for
it. i didn't BUGTRAQ it as i find such info without a real fix to be
irresponsible. my coding sucks and i haven't been able to get my
MaxClients parameter to work in sshd. this would then be analogous to that
found in the apache web server. my incomplete code diffs are available to
anyone who wants to make it work, i get errors when it forks the child
process to handle the socket.
an alternative i use on my servers is to install xinetd and load sshd into
xinetd. instances control in xinetd take care of that issue. similar inetd
replacements which have instances control would also work. be sure to use
the "-i" flag since it's no longer standalone. a working xinetd config for
it would look like:
service ssh
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/local/sbin/sshd
server_args = -i
instances = 10
}
<rant>
this is pretty irresponsible of ssh's development team to leave such an
obvious point of trouble in their code long before i even mentioned it to
them. the apache team noted in their configuration comments why they have
a MaxClients type of parameter, to prevent resource exhaustion of a
standalone daemon. sshd is reccomended to be run as standalone, and
installs by default as standalone, their lack of observation of this
parameter is stunning.
i just didn't want to be party to this irresponsibility and post a DoS
that could affect a $#@%load of machines without some real code fix. an
%$@#load of admins use sshd on their machines for secure WAN connectivity
and are vulnerable to this annoying DoS.
</rant>
sincerely,
jose nazario joseat_private
PGP 2.6.2 key fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:39 PDT