X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C795E1.66CDD99B@onstor-exch02.onstor.net>; Sun, 13 May 2007 21:36:12 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C795E1.66CDD99B"
References: <BB375AF679D4A34E9CA8DFA650E2B04E028FB43E@onstor-exch02.onstor.net>
Content-class: urn:content-classes:message
Subject: RE: ssh configuration (Defect 18513)
Date: Sun, 13 May 2007 21:36:12 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E0A91F0@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: ssh configuration (Defect 18513)
Thread-Index: AceV2BIgLc8ojXfxQBSg1eKJfl/8lAAB0bnw
From: "Larry Scheer" <larry.scheer@onstor.com>
To: "Mike Lee" <mike.lee@onstor.com>,
	"Andy Sharp" <andy.sharp@onstor.com>
Cc: "Brian DeForest" <brian.deforest@onstor.com>,
	"Rendell Fong" <rendell.fong@onstor.com>,
	"Sandrine Boulanger" <sandrine.boulanger@onstor.com>,
	"Tim Gardner" <tim.gardner@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C795E1.66CDD99B
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

How many concurrent SSH connections were there?
At 40Kbytes of memory each session, you would need 6554 sessions running =
to exhaust 256Mbytes of memory. Are you saying the real problem is a =
runaway process spawning SSH connections?

When do we ever have dozens of SSH processes running running on the SSC? =
I can't imagine hundreds much less thousands of SSH processes. What are =
seeing that I am missing here?

Larry=20

-----Original Message-----
From: Mike Lee
Sent: Sun 5/13/2007 8:29 PM
To: Andy Sharp; Larry Scheer
Cc: Brian DeForest; Rendell Fong; Sandrine Boulanger; Tim Gardner
Subject: ssh configuration (Defect 18513)
=20
Gentlemen:

Concerning that BSD panic due to kernel memory exhaustion, Rendell =
figured out that it was due to too many concurrent ssh connections to =
our filer, where each connection ate up 40K of memory. =20

As such, I think we need to configure our ssh daemon to limit the =
maximum number of concurrent connections.  I searched a bit online and =
the only thing I found was the MaxStartups setting, but it is for =
"concurrent unauthenticated connections". =20

Do you know of a way to limit number of connections, authenticated or =
unauthenticated?

Thanks!

-Mike


MaxStartups=20
Specifies the maximum number of concurrent unauthenticated connections =
to the sshd daemon. Additional connections will be dropped until =
authentication succeeds or the LoginGraceTime expires for a connection. =
The default is 10.=20
Alternatively, random early drop can be enabled by specifying the three =
colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will =
refuse connection attempts with a probability of ``rate/100'' (30%) if =
there are currently ``start'' (10) unauthenticated connections. The =
probability increases linearly and all connection attempts are refused =
if the number of unauthenticated connections reaches ``full'' (60).=20


------_=_NextPart_001_01C795E1.66CDD99B
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: ssh configuration (Defect 18513)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>How many concurrent SSH connections were there?<BR>
At 40Kbytes of memory each session, you would need 6554 sessions running =
to exhaust 256Mbytes of memory. Are you saying the real problem is a =
runaway process spawning SSH connections?<BR>
<BR>
When do we ever have dozens of SSH processes running running on the SSC? =
I can't imagine hundreds much less thousands of SSH processes. What are =
seeing that I am missing here?<BR>
<BR>
Larry<BR>
<BR>
-----Original Message-----<BR>
From: Mike Lee<BR>
Sent: Sun 5/13/2007 8:29 PM<BR>
To: Andy Sharp; Larry Scheer<BR>
Cc: Brian DeForest; Rendell Fong; Sandrine Boulanger; Tim Gardner<BR>
Subject: ssh configuration (Defect 18513)<BR>
<BR>
Gentlemen:<BR>
<BR>
Concerning that BSD panic due to kernel memory exhaustion, Rendell =
figured out that it was due to too many concurrent ssh connections to =
our filer, where each connection ate up 40K of memory.&nbsp;<BR>
<BR>
As such, I think we need to configure our ssh daemon to limit the =
maximum number of concurrent connections.&nbsp; I searched a bit online =
and the only thing I found was the MaxStartups setting, but it is for =
&quot;concurrent unauthenticated connections&quot;.&nbsp;<BR>
<BR>
Do you know of a way to limit number of connections, authenticated or =
unauthenticated?<BR>
<BR>
Thanks!<BR>
<BR>
-Mike<BR>
<BR>
<BR>
MaxStartups<BR>
Specifies the maximum number of concurrent unauthenticated connections =
to the sshd daemon. Additional connections will be dropped until =
authentication succeeds or the LoginGraceTime expires for a connection. =
The default is 10.<BR>
Alternatively, random early drop can be enabled by specifying the three =
colon separated values ``start:rate:full'' (e.g., &quot;10:30:60&quot;). =
sshd will refuse connection attempts with a probability of ``rate/100'' =
(30%) if there are currently ``start'' (10) unauthenticated connections. =
The probability increases linearly and all connection attempts are =
refused if the number of unauthenticated connections reaches ``full'' =
(60).<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C795E1.66CDD99B--
