Use default MaxStartups value. #7494
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some versions of openssh (notably 8.9p1, as ships with Ubuntu 22.04) are buggy with values of MaxStartups >= 1024 (see https://lists.mindrot.org/pipermail/openssh-bugs/2022-March/023864.html for details). Rather than try to tweak this setting, use the default value of '10:30:100'.
|
|
|
yes please. |
Obihoernchen
approved these changes
Apr 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PR is to fix issue #7493
Modification Includes:
Clear
MaxStartupssshd_config parameter.Currently the
xCAT/postscripts/remoteshellscript unconditionally addsMaxStartups 1024to/etc/ssh/sshd_config. This setting causes some versions of openssh (notably 8.9p1, as ships with Ubuntu 22.04) to behave pathologically, making it impossible to log into a diskful node after it has finished building. Dropping the value to 1023 (or anything less than 1024) resolves the issue, as does removing theMaxStartupsparameter entirely.See https://lists.mindrot.org/pipermail/openssh-bugs/2022-March/023864.html for more details on the openssh bug.
Detailed Description
This change simply removes the code in
remoteshellsetting a value forMaxStartups, which results in the default value being used by sshd.This approach to fixing the issue was driven by considering the interaction between the
MaxStartupssetting and theMaxSessionssetting -MaxStartupslimits the number of unauthenticated client connections sshd allows before dropping all new connection attempts, andMaxSessionslimits the number of fully authenticated client sessions. Assuming well-behaved clients and an sshd that can keep up with authenticating them (a reasonable expectation in an xCAT managed environment),MaxStartupsis unlikely to have any impact; the most important limit on concurrent connections will always beMaxSessions.The default value of
MaxSessionsis 10; the default value ofMaxStartupsis10:30:100(a maximum of 100 connections, with 30% of incoming connections being dropped after the backlog reaches 10 connections, ramping up to 100% dropped at 100 connections). These default values are quite compatible; aMaxStartupsvalue of 1024 (setting a hard limit of 1024 unauthenticated connections) is very high relative to the number of available session slots.Assuming the default value of
MaxSessionsis functional in an xCAT context, there doesn't seem to be any reason to override the default value ofMaxStartupsat all, and certainly no reason to set such a high value.Note
In addition to the
remoteshellpostscript, a number of other pieces of code set the sameMaxStartupsvalue of 1024:xCAT/postscripts/setupesx:64-65xCAT/postscripts/aixremoteshell:131xCAT-server/share/xcat/netboot/add-on/statelite/add_ssh:42-43I have chosen to leave these cases untouched, as I currently have no reason to believe they are causing any issues.