Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
Mouse <mouse@Rodents-Montreal.ORG> Fri, 31 March 2017 06:56 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978DF12704B for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 30 Mar 2017 23:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqfS-oLg0Iud for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 30 Mar 2017 23:56:26 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9F5C1205D3 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 30 Mar 2017 23:56:25 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 54528855E1; Fri, 31 Mar 2017 06:56:25 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 0F34585570; Fri, 31 Mar 2017 06:56:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id DDDB584CDE for <ietf-ssh@netbsd.org>; Thu, 30 Mar 2017 19:54:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id tmgKAVBEmS-2 for <ietf-ssh@netbsd.org>; Thu, 30 Mar 2017 19:54:54 +0000 (UTC)
Received: from Stone.Rodents-Montreal.ORG (Stone.Rodents-Montreal.ORG [98.124.61.89]) by mail.netbsd.org (Postfix) with ESMTP id BB7BE84CDD for <ietf-ssh@netbsd.org>; Thu, 30 Mar 2017 19:54:53 +0000 (UTC)
Received: (from mouse@localhost) by Stone.Rodents-Montreal.ORG (8.8.8/8.8.8) id PAA29106; Thu, 30 Mar 2017 15:54:52 -0400 (EDT)
Date: Thu, 30 Mar 2017 15:54:52 -0400
From: Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <201703301954.PAA29106@Stone.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
X-Composition-Start-Date: Thu, 30 Mar 2017 15:27:01 -0400 (EDT)
To: ietf-ssh@netbsd.org
Subject: Re: Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]
In-Reply-To: <1A92E96F87CA4B70A939D3E0F1A719B4@Khan>
References: <2216143EDEE342A3A5C9BB786F7FEF7A@Khan> <201703231224.IAA22091@Stone.Rodents-Montreal.ORG> <589D55C2CF5942E9910482788CBDB445@Khan> <201703260243.WAA05983@Stone.Rodents-Montreal.ORG> <B27F1BAE8F974449B6EE8B7DF50ED3A9@Khan> <1490595711031.1686@cs.auckland.ac.nz> <BE0AC8D434BC4010842179F29664E7A7@Khan> <201703272204.SAA12391@Stone.Rodents-Montreal.ORG> <CALDDTe2h_2ERDwz_gvnrRTODAjx5dJe5NCRnFYvL=XHuP8mdkQ@mail.gmail.com> <1A92E96F87CA4B70A939D3E0F1A719B4@Khan>
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
> I was curious about what that was so I looked. Quoting moussh(1): > [...] > Worst of all, OpenSSH does not provide any way for the server admin to > raise this limit; it is hardwired into the code! > That last sentence is not accurate, OpenSSH has provided a > MaxSessions config option since [] 5.1 (2008) [...] I've updated moussh.1: commit 58da35d27000668ec6c9125790c47cbfed430669 Author: Mouse <mouse@Rodents-Montreal.ORG> Date: Tue Mar 28 08:21:05 2017 -0400 Update the manpage description of the OpenSSH connection-limit misfeature. diff --git a/moussh/moussh.1 b/moussh/moussh.1 index 2bfc901..e235526 100644 --- a/moussh/moussh.1 +++ b/moussh/moussh.1 @@ -747,7 +747,8 @@ to open .Ar N parallel connections to the server. The sharing clients are then load-shared among the server connections. This option is designed to -work around a misfeature in OpenSSH; see the +work around a misfeature in some OpenSSH versions, still useful with +current versions in some circumstances; see the .Sx CONNECTION SHARING section for more. .It Fl just-die @@ -1142,18 +1143,21 @@ option variables false.) There is a misfeature (I would call it a bug, except that reading the source makes it clear it was done deliberately) in OpenSSH's server. (Similar issues may exist with others, but I have no knowledge of -them.) It gratuitously refuses to permit more than ten sessions per -connection. This means that using +them.) It gratuitously refuses to permit more than some number of +sessions per connection. This number defaults to 10, and some versions +(before 5.1, I believe) have it hardwired to 10 in the code. (As far +as I know no version has a way to remove the limit entirely, though for +most purposes specifying a large number like 1000 is equivalent.) This +means that using .Nm moussh Ap s connection-sharing feature to connect to such a server will work fine until you try to open too many remote login sessions, at which point -you will get refusals from the remote server. Worst of all, OpenSSH -does not provide any way for the server admin to raise this limit; it -is hardwired into the code! +you will get refusals from the remote server. .Pp .Nm -contains a workaround for this: when establishing a connection-sharing -server, you can specify +contains a workaround for this, in case the server is a version old +enough to have it hardwired or its admin doesn't want to raise the +limit: when establishing a connection-sharing server, you can specify .Fl share-number (or the corresponding config-file variable) to make .Nm /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Fixing exchange of host keys in the SSH key excha… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Implementation-hazards list [was Re: Fixing excha… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Implementation-hazards list [was Re: Fixing e… Peter Gutmann
- Re: Implementation-hazards list [was Re: Fixing e… Darren Tucker
- Re: Implementation-hazards list [was Re: Fixing e… Mouse
- Re: Implementation-hazards list [was Re: Fixing e… denis bider (Bitvise)
- Re: Implementation-hazards list [was Re: Fixing e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… S.P.Zeidler
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse