Configure SSHD maxAuthTries, loginGraceTime, maxConnectionsPerUser
Enable the site administrator to control the SSHD server's limits by defining how many times a user can prevent an SSH key before we give up, how long the session is allowed to sit without authentication, and how many sessions any single user may have. Change-Id: Ia7da504caa6e741a412dc03cf0e2e167d6d4c612 Signed-off-by: Shawn O. Pearce <sop@google.com>
This commit is contained in:
Shawn O. Pearce
@@ -1603,6 +1603,41 @@ pool by a simple FIFO scheduling system.
|
||||
+
|
||||
By default, 1 plus the number of CPUs available to the JVM.
|
||||
|
||||
[[sshd.maxAuthTries]]sshd.maxAuthTries::
|
||||
+
|
||||
Maximum number of authentication attempts before the server
|
||||
disconnects the client. Each public key that a client has loaded
|
||||
into its local agent counts as one auth request. Users can work
|
||||
around the server's limit by loading less keys into their agent,
|
||||
or selecting a specific key in their `~/.ssh/config` file with
|
||||
the `IdentityFile` option.
|
||||
+
|
||||
By default, 6.
|
||||
|
||||
[[sshd.loginGraceTime]]sshd.loginGraceTime::
|
||||
+
|
||||
Time in seconds that a client has to authenticate before the server
|
||||
automatically terminates their connection. Values should use common
|
||||
unit suffixes to express their setting:
|
||||
+
|
||||
* s, sec, second, seconds
|
||||
* m, min, minute, minutes
|
||||
* h, hr, hour, hours
|
||||
* d, day, days
|
||||
|
||||
+
|
||||
By default, 2 minutes.
|
||||
|
||||
[[sshd.maxConnectionsPerUser]]sshd.maxConnectionsPerUser::
|
||||
+
|
||||
Maximum number of concurrent SSH sessions that a user account
|
||||
may open at one time. This is the number of distinct SSH logins
|
||||
the each user may have active at one time, and is not related to
|
||||
the number of commands a user may issue over a single connection.
|
||||
If set to 0, there is no limit.
|
||||
+
|
||||
By default, 64.
|
||||
|
||||
[[sshd.cipher]]sshd.cipher::
|
||||
+
|
||||
Available ciphers. To permit multiple ciphers, specify multiple
|
||||
|
||||
@@ -14,7 +14,12 @@
|
||||
|
||||
package com.google.gerrit.sshd;
|
||||
|
||||
import static java.util.concurrent.TimeUnit.MILLISECONDS;
|
||||
import static java.util.concurrent.TimeUnit.SECONDS;
|
||||
|
||||
import com.google.gerrit.common.Version;
|
||||
import com.google.gerrit.lifecycle.LifecycleListener;
|
||||
import com.google.gerrit.server.config.ConfigUtil;
|
||||
import com.google.gerrit.server.config.GerritServerConfig;
|
||||
import com.google.gerrit.server.ssh.SshInfo;
|
||||
import com.google.gerrit.server.util.IdGenerator;
|
||||
@@ -129,6 +134,25 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
|
||||
reuseAddress = cfg.getBoolean("sshd", "reuseaddress", true);
|
||||
keepAlive = cfg.getBoolean("sshd", "tcpkeepalive", true);
|
||||
|
||||
getProperties().put(SERVER_IDENTIFICATION,
|
||||
"GerritCodeReview_" + Version.getVersion() //
|
||||
+ " (" + super.getVersion() + ")");
|
||||
|
||||
getProperties().put(MAX_AUTH_REQUESTS,
|
||||
String.valueOf(cfg.getInt("sshd", "maxAuthTries", 6)));
|
||||
|
||||
getProperties().put(
|
||||
AUTH_TIMEOUT,
|
||||
String.valueOf(MILLISECONDS.convert(ConfigUtil.getTimeUnit(cfg, "sshd",
|
||||
null, "loginGraceTime", 120, SECONDS), SECONDS)));
|
||||
|
||||
final int maxConnectionsPerUser =
|
||||
cfg.getInt("sshd", "maxConnectionsPerUser", 64);
|
||||
if (0 < maxConnectionsPerUser) {
|
||||
getProperties().put(MAX_CONCURRENT_SESSIONS,
|
||||
String.valueOf(maxConnectionsPerUser));
|
||||
}
|
||||
|
||||
if (SecurityUtils.isBouncyCastleRegistered()) {
|
||||
initProviderBouncyCastle();
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user