X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C795EB.1B414410@onstor-exch02.onstor.net>; Sun, 13 May 2007 22:45:41 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
Subject: RE: ssh configuration (Defect 18513)
Date: Sun, 13 May 2007 22:45:39 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E03B6E1CC@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E028FB43E@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: ssh configuration (Defect 18513)
Thread-Index: AceV2BIgLc8ojXfxQBSg1eKJfl/8lAAEnalA
References: <BB375AF679D4A34E9CA8DFA650E2B04E028FB43E@onstor-exch02.onstor.net>
From: "Brian DeForest" <brian.deforest@onstor.com>
To: "Mike Lee" <mike.lee@onstor.com>,
	"Andy Sharp" <andy.sharp@onstor.com>,
	"Larry Scheer" <larry.scheer@onstor.com>
Cc: "Rendell Fong" <rendell.fong@onstor.com>,
	"Sandrine Boulanger" <sandrine.boulanger@onstor.com>,
	"Tim Gardner" <tim.gardner@onstor.com>

Before modifying SSH we should determine if it's the number of SSH
sessions, or just the number of processes?   We might also have to limit
the number of nfxsh sessions.

-----Original Message-----
From: Mike Lee=20
Sent: Sunday, May 13, 2007 8:29 PM
To: Andy Sharp; Larry Scheer
Cc: Brian DeForest; Rendell Fong; Sandrine Boulanger; Tim Gardner
Subject: ssh configuration (Defect 18513)

Gentlemen:

Concerning that BSD panic due to kernel memory exhaustion, Rendell
figured out that it was due to too many concurrent ssh connections to
our filer, where each connection ate up 40K of memory. =20

As such, I think we need to configure our ssh daemon to limit the
maximum number of concurrent connections.  I searched a bit online and
the only thing I found was the MaxStartups setting, but it is for
"concurrent unauthenticated connections". =20

Do you know of a way to limit number of connections, authenticated or
unauthenticated?

Thanks!

-Mike


MaxStartups=20
Specifies the maximum number of concurrent unauthenticated connections
to the sshd daemon. Additional connections will be dropped until
authentication succeeds or the LoginGraceTime expires for a connection.
The default is 10.=20
Alternatively, random early drop can be enabled by specifying the three
colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will
refuse connection attempts with a probability of ``rate/100'' (30%) if
there are currently ``start'' (10) unauthenticated connections. The
probability increases linearly and all connection attempts are refused
if the number of unauthenticated connections reaches ``full'' (60).=20
