The "maxpack" value negociated between ssh server and a client is not always really observed by certain versions of some clients, and is only considered as a wish, not an obligation (like in secureFX 1.9.3, since 1.9.4 does enforce the limitation). This is not really a problem since it doesn't prevent both sides to communicate, even with big packets. There's no problem with that with sshd2 from ssh.com. This is also not a problem with opensshd 2.9p2, EXCEPT that it floods logs (/var/log/secure) with some useless things: Logs: Jul 6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31092, maxpack 16384 Jul 6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31064, maxpack 16384 Jul 6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31036, maxpack 16384 Jul 6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31008, maxpack 16384 Jul 6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 30980, maxpack 16384 Jul 6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 30952, maxpack 16384 etc... Flooding logs can be a way of DoS. So it seems to me that this is really only DEBUG information. In those conditions, I think the log() ought to be replaced by a debug() like this: Patch diff: --- openssh-2.9p2/channels.c.old Fri Jul 20 23:03:47 2001 +++ openssh-2.9p2/channels.c Fri Jul 20 23:04:08 2001 @@ -1315,11 +1315,11 @@ if (compat20){ if (data_len > c->local_maxpacket) { - log("channel %d: rcvd big packet %d, maxpack %d", + debug("channel %d: rcvd big packet %d, maxpack %d", c->self, data_len, c->local_maxpacket); } if (data_len > c->local_window) { - log("channel %d: rcvd too much data %d, win %d", + debug("channel %d: rcvd too much data %d, win %d", c->self, data_len, c->local_window); xfree(data); return; ------------- If someone considers 'too much data' is not only a debug information, 'big packet received' not creating communication problem nor bufferoverflowing anything is really a debug information.
This change will be integrated into 2.9p2-7 and later. Thanks!