Mailing List Archive

what is best practice to limit forked sshd processes
Is there a best practice to limit the number of forked sshd processes ?

Is /etc/security/limits.d the recommended approach ?

regards,
Jeff
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: what is best practice to limit forked sshd processes [ In reply to ]
Hello,

Maybe I'll re-phase what I'm observing.

A client is requesting a subsystem but thought the subsystem exists the forked sshd process does not terminate.

We are still analyzing why (i.e. ssh session not terminated, etc), but never the less we can't have the client cause the server to spawn an unlimited number of authenticated sessions. We limit the number of subsystems.

I would like to force the termination of the forked sshd process when the subsytem terminates.

Any suggestions how this can be accomplished ?






On Wednesday, August 12, 2020, 03:07:04 p.m. EDT, Ladouceur Jeffrey <jefflad@yahoo.ca> wrote:





Is there a best practice to limit the number of forked sshd processes ?

Is /etc/security/limits.d the recommended approach ?

regards,
Jeff
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: what is best practice to limit forked sshd processes [ In reply to ]
On Thu, 27 Aug 2020, Ladouceur Jeffrey wrote:

> Hello,
>
> Maybe I'll re-phase what I'm observing.
>
> A client is requesting a subsystem but thought the subsystem exists the forked sshd process does not terminate.
>
> We are still analyzing why (i.e. ssh session not terminated, etc), but never the less we can't have the client cause the server to spawn an unlimited number of authenticated sessions. We limit the number of subsystems.
>
> I would like to force the termination of the forked sshd process when the subsytem terminates.
>
> Any suggestions how this can be accomplished ?

sshd itself does not have any built-in way to do this, as there is no
controller process that tracks sessions (at least not once they have
completed authentication).

Your limits.d or some other PAM-based approach seems reasonable.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev