Bug 2218915
| Summary: | [RFE] better document MaxStartups explaining behavior using a single value instead of just the three colon separated values | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Juan Gamba <jgamba> |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | --- | CC: | jjelen, npocs, peter.vreman, vpolasek |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Uninitialized options are overwritten by some reasonable defaults (10 is really equal to 10:30:10). I'm not sure we need documenting it better as it's an internal value that can change. I think that the oscap evaluation should be fixed. Below the usage from its man page,
MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the SSH dae‐
mon. Additional connections will be dropped until authentication succeeds or the
LoginGraceTime expires for a connection. The default is 10:30:100.
Alternatively, random early drop can be enabled by specifying the three colon separated
values start:rate:full (e.g. "10:30:60"). sshd(8) will refuse connection attempts with
a probability of rate/100 (30%) if there are currently start (10) unauthenticated con‐
nections. The probability increases linearly and all connection attempts are refused if
the number of unauthenticated connections reaches full (60).
Reading the first line of the first paragraph "Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon." and the first line of the second paragraph, "Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60")", it does states that one value is fine, but it is not clear what happens with with "start:rate:", and that single value is actually ":full"
I do think that some additional details should be added into the documentation of that option.
I used gdb to see what happens with the value, and stopped right there on "10:-1:10",
But later the value is set to the default,
386 if (options->max_startups_rate == -1)
387 options->max_startups_rate = 30; /* 30% */
As you said.
|
Description of problem: [RFE] better document MaxStartups explaining behavior using a single value instead of three colon separated values Version-Release number of selected component (if applicable): any version How reproducible: always Steps to Reproduce: 1. - Set 'MaxStartups 10' in /etc/ssh/sshd_config 2. - restart sshd 3. - man 5 sshd_config Actual results: MaxStartups is accepted. From 'man 5 sshd_config', MaxStartups Specifies the maximum number of concurrent unau‐ thenticated connections to the SSH daemon. Addi‐ tional connections will be dropped until authenti‐ cation succeeds or the LoginGraceTime expires for a connection. The default is 10:30:100. Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability in‐ creases linearly and all connection attempts are refused if the number of unauthenticated connec‐ tions reaches full (60). Expected results: Detailed explanation on one value setting and/or example using it. Additional info: #/source/RHEL8/RHEL8.8/openssh/openssh-8.0p1-17/openssh-8.0p1#] [servconf.c] 80:initialize_server_options(ServerOptions *options) 81-{ 82- memset(options, 0, sizeof(*options)); 83- 84- /* Portable-specific options */ 85- options->use_pam = -1; 86- 87- /* Standard Options */ [..] 153- options->max_startups_begin = -1; 154- options->max_startups_rate = -1; 155- options->max_startups = -1; [..] 1212 int 1213 process_server_config_line(ServerOptions *options, char *line, 1214 const char *filename, int linenum, int *activep, 1215 struct connection_info *connectinfo) 1216 { [..] 1266: switch (opcode) { [..] 1784: case sMaxStartups: 1785- arg = strdelim(&cp); 1786- if (!arg || *arg == '\0') 1787- fatal("%s line %d: Missing MaxStartups spec.", 1788- filename, linenum); 1789- if ((n = sscanf(arg, "%d:%d:%d", 1790- &options->max_startups_begin, 1791- &options->max_startups_rate, 1792- &options->max_startups)) == 3) { 1793- if (options->max_startups_begin > 1794- options->max_startups || 1795- options->max_startups_rate > 100 || 1796- options->max_startups_rate < 1) 1797- fatal("%s line %d: Illegal MaxStartups spec.", 1798- filename, linenum); 1799- } else if (n != 1) 1800- fatal("%s line %d: Illegal MaxStartups spec.", 1801- filename, linenum); 1802- else 1803- options->max_startups = options->max_startups_begin; 1804- break; There if you set "MaxStartups 10" is the same as setting "MaxStartups 10:-1:10" The additional details in MaxStartups documentation aims to provide better understanding of this setting to both users and security profile makers. If only one value setting is set, security profiles as CIS (evaluated with oscap) fails claiming that requires the three colon separated values. (already opened a bugzilla there as well) Juan Gamba