Match Introduces a conditional block. If all of the criteria on the
Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file,
until either another Match line or the end of the file.
The arguments to Match are one or more criteria-pattern pairs.
The available criteria are User, Group, Host, LocalAddress,
LocalPort, and Address. The match patterns may consist of single
entries or comma-separated lists and may use the wildcard and
negation operators described in the PATTERNS section of
ssh_config(5).
The patterns in an Address criteria may additionally contain
addresses to match in CIDR address/masklen format, e.g.
``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask
length provided must be consistent with the address - it is an
error to specify a mask length that is too long for the address
or one with bits set in this host portion of the address. For
example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively.
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AcceptEnv,
AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
AuthorizedKeysCommandUser, AuthorizedKeysFile,
AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
KbdInteractiveAuthentication, KerberosAuthentication,
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
MaxSessions
Specifies the maximum number of open sessions permitted per net-
work connection. The default is 10.
MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to thesshddaemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60").sshd will refuse connection attempts with a probability of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60).
sshd에 인증되지 않은 최대 동시 연결 횟수 숫자를 명시한다
추가적인 연결은 인증이 성공하거나 연결 시간 동안 LoginGraceTime이 지나기 전까지는 drop된다
기본값은 10
혹은 start:rate:full과 같은 3개의 :값을 사용해서 무작위 조기 drop도 가능하다
sshd는 rate확률만큼 연결 시도를 거부한다
만약 start에 해당하는 비인증 연결 시도가 있으면 비율은 선형적으로 증가하며
비인증 연결 시도가 full에 도달하면 모든 연결시도들은 거절된다
LoginGraceTime
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
만약 사용자가 성공적으로 로그인하지 못 한다면 LGT만큼 시간이 지난 후 서버는 disconnect한다
0이면 unlimited default는 120초
(예시 - 로그인 창을 띄우고 id만 쓰고 가만히 있으면 LGT시간이 지난 후 연결이 끊김)
http://comments.gmane.org/gmane.os.openbsd.misc/190592
단서를 얻은 시작
Re: sshd_config ignores MaxSessions?
Mattias Pehlke <mattias <at> mpehlke.de>
2011-11-11 21:16:24 GMT
* Scott <amorphous.yet.not <at> gmail.com> [11.11.2011 20:30]:
> Hello,
>
> $ grep 'MaxSessions' /etc/ssh/sshd_config
> MaxSessions 2
>
> But I can log into a box with at least 5 sessions (I stopped trying at
> that point).
This is not the focus of the MaxSessions directive
See http://openssh.org/txt/release-5.1:
[...]
* Added a MaxSessions option to sshd_config(5) to allow control of the
number of multiplexed sessions supported over a single TCP connection.
This allows increasing the number of allowed sessions above the
previous default of 10, disabling connection multiplexing
(MaxSessions=1) or disallowing login/shell/subsystem sessions
entirely (MaxSessions=0).
--
Mattias
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
MaxSessions 2로 맞추고
ssh -M -S /root/.ssh/multi/root@localhost:22 localhost
ssh -S 동일
한 번 더 ssh -S 하면 connection closed됨
1개의 ssh connection에 여러개의 세션을 열어서 멀티플렉싱
여러개의 ssh connection열어서 사용 - tcp가 여러개 열림