Bug 2218915

Summary: [RFE] better document MaxStartups explaining behavior using a single value instead of just the three colon separated values
Product: Red Hat Enterprise Linux 8 Reporter: Juan Gamba <jgamba>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: ---CC: jjelen, peter.vreman, vpolasek
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-20 00:28:01 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Gamba 2023-06-30 14:35:17 UTC 
Description of problem:

[RFE] better document MaxStartups explaining behavior using a single value instead of three colon separated values

Version-Release number of selected component (if applicable):

any version

How reproducible:

always

Steps to Reproduce:
1. - Set 'MaxStartups 10' in  /etc/ssh/sshd_config
2. - restart sshd
3. - man 5 sshd_config

Actual results:

MaxStartups is accepted.

From 'man 5 sshd_config',

     MaxStartups
             Specifies the maximum number of concurrent unau‐
             thenticated connections to the SSH daemon.  Addi‐
             tional connections will be dropped until authenti‐
             cation succeeds or the LoginGraceTime expires for
             a connection.  The default is 10:30:100.

             Alternatively, random early drop can be enabled by
             specifying the three colon separated values
             start:rate:full (e.g. "10:30:60").  sshd(8) will
             refuse connection attempts with a probability of
             rate/100 (30%) if there are currently start (10)
             unauthenticated connections.  The probability in‐
             creases linearly and all connection attempts are
             refused if the number of unauthenticated connec‐
             tions reaches full (60).

Expected results:

Detailed explanation on one value setting and/or example using it.

Additional info:

#/source/RHEL8/RHEL8.8/openssh/openssh-8.0p1-17/openssh-8.0p1#]

[servconf.c]

80:initialize_server_options(ServerOptions *options)
81-{
82-	memset(options, 0, sizeof(*options));
83-
84-	/* Portable-specific options */
85-	options->use_pam = -1;
86-
87-	/* Standard Options */
[..]
153-	options->max_startups_begin = -1;
154-	options->max_startups_rate = -1;
155-	options->max_startups = -1;
[..]
1212 int
1213 process_server_config_line(ServerOptions *options, char *line,
1214     const char *filename, int linenum, int *activep,
1215     struct connection_info *connectinfo)
1216 {
[..]
1266:        switch (opcode) {
[..]
1784:	case sMaxStartups:
1785-		arg = strdelim(&cp);
1786-		if (!arg || *arg == '\0')
1787-			fatal("%s line %d: Missing MaxStartups spec.",
1788-			    filename, linenum);
1789-		if ((n = sscanf(arg, "%d:%d:%d",
1790-		    &options->max_startups_begin,
1791-		    &options->max_startups_rate,
1792-		    &options->max_startups)) == 3) {
1793-			if (options->max_startups_begin >
1794-			    options->max_startups ||
1795-			    options->max_startups_rate > 100 ||
1796-			    options->max_startups_rate < 1)
1797-				fatal("%s line %d: Illegal MaxStartups spec.",
1798-				    filename, linenum);
1799-		} else if (n != 1)
1800-			fatal("%s line %d: Illegal MaxStartups spec.",
1801-			    filename, linenum);
1802-		else
1803-			options->max_startups = options->max_startups_begin;
1804-		break;

There if you set "MaxStartups 10" is the same as setting "MaxStartups 10:-1:10"

The additional details in MaxStartups documentation aims to provide better understanding of this setting to both users and security profile makers.

If only one value setting is set, security profiles as CIS (evaluated with oscap) fails claiming that requires the three colon separated values. (already opened a bugzilla there as well)

Juan Gamba
Comment 2 Dmitry Belyavskiy 2023-07-04 13:38:32 UTC 
Uninitialized options are overwritten by some reasonable defaults (10 is really equal to 10:30:10). I'm not sure we need documenting it better as it's an internal value that can change.

I think that the oscap evaluation should be fixed.
Comment 3 Juan Gamba 2023-07-04 18:39:38 UTC 
Below the usage from its man page,

     MaxStartups
             Specifies the maximum number of concurrent unauthenticated connections to the SSH dae‐
             mon.  Additional connections will be dropped until authentication succeeds or the
             LoginGraceTime expires for a connection.  The default is 10:30:100.

             Alternatively, random early drop can be enabled by specifying the three colon separated
             values start:rate:full (e.g. "10:30:60").  sshd(8) will refuse connection attempts with
             a probability of rate/100 (30%) if there are currently start (10) unauthenticated con‐
             nections.  The probability increases linearly and all connection attempts are refused if
             the number of unauthenticated connections reaches full (60).

Reading the first line of the first paragraph "Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon." and the first line of the second paragraph, "Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60")", it does states that one value is fine, but it is not clear what happens with with "start:rate:", and that single value is actually ":full"

I do think that some additional details should be added into the documentation of that option.

I used gdb to see what happens with the value, and stopped right there on "10:-1:10",

But later the value is set to the default,

   386          if (options->max_startups_rate == -1)
   387                  options->max_startups_rate = 30;                /* 30% */

As you said.
Comment 5 RHEL Program Management 2023-09-20 00:26:49 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 6 RHEL Program Management 2023-09-20 00:28:01 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.