diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index ec6682ff7264..928db295a118 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -680,18 +680,7 @@ read_server_config(ServerOptions *options, const char *filename) break; case sConnectionsPerPeriod: - arg = strdelim(&cp); - if (cp == NULL) - fatal("%.200s line %d: missing (>= 0) number argument.\n", - filename, linenum); - if (sscanf(arg, "%u/%u", &options->connections_per_period, - &options->connections_period) != 2) - fatal("%.200s line %d: invalid numerical argument(s).\n", - filename, linenum); - if (options->connections_per_period != 0 && - options->connections_period == 0) - fatal("%.200s line %d: invalid connections period.\n", - filename, linenum); + fatal("ConnectionsPerPeriod has been deprecated."); break; case sSubsystem: diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8 index f2a754444fcc..c8ab12541ab7 100644 --- a/crypto/openssh/sshd.8 +++ b/crypto/openssh/sshd.8 @@ -337,31 +337,6 @@ Specifies whether should check for new mail for interactive logins. The default is .Dq yes . -.It Cm ConnectionsPerPeriod -This keyword allows for rate-limiting of connections, and -is followed by two numbers in the format -.Dq n/s , -where -.Ar n -is the number of connections from a certain address group -accepted per period of -.Ar s -seconds. Any connection after the number -.Ar n -connection in the period of -.Ar s -seconds will be dropped, and an informational message will be logged. -A connection will belong to a certain group, of which there are 13 -by default, according to its IP address. -The default for this keyword is -.Dq 0/0 , -and rate-limiting can be explicitly turned off by using an -.Ar n -parameter of -.Ql 0 -and any -.Ar s -parameter. .It Cm DenyGroups This keyword can be followed by a number of group names, separated by spaces. diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index 6dcc066b804c..ad69883f0ff1 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -167,32 +167,6 @@ unsigned char session_id[16]; unsigned char *session_id2 = NULL; int session_id2_len = 0; -/* These are used to implement connections_per_period. */ -struct ratelim_connection { - struct timeval connections_begin; - unsigned int connections_this_period; -} *ratelim_connections; - -static void -ratelim_init(void) { - ratelim_connections = calloc(num_listen_socks, - sizeof(struct ratelim_connection)); - if (ratelim_connections == NULL) - fatal("calloc: %s", strerror(errno)); -} - -static __inline struct timeval -timevaldiff(struct timeval *tv1, struct timeval *tv2) { - struct timeval diff; - int carry; - - carry = tv1->tv_usec > tv2->tv_usec; - diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 1 : 0); - diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0); - - return diff; -} - /* record remote hostname or ip */ unsigned int utmp_len = MAXHOSTNAMELEN; @@ -508,7 +482,6 @@ main(int ac, char **av) int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1; pid_t pid; socklen_t fromlen; - int ratelim_exceeded = 0; int silent = 0; fd_set *fdset; struct sockaddr_storage from; @@ -874,8 +847,6 @@ main(int ac, char **av) for (i = 0; i < options.max_startups; i++) startup_pipes[i] = -1; - ratelim_init(); - /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. @@ -948,27 +919,6 @@ main(int ac, char **av) break; } - if (options.connections_per_period != 0) { - struct timeval diff, connections_end; - struct ratelim_connection *rc; - - (void)gettimeofday(&connections_end, NULL); - rc = &ratelim_connections[i]; - diff = timevaldiff(&rc->connections_begin, - &connections_end); - if (diff.tv_sec >= options.connections_period) { - /* - * Slide the window forward only after - * completely leaving it. - */ - rc->connections_begin = connections_end; - rc->connections_this_period = 1; - } else { - if (++rc->connections_this_period > - options.connections_per_period) - ratelim_exceeded = 1; - } - } /* * Got connection. Fork a child to handle it, unless @@ -987,19 +937,6 @@ main(int ac, char **av) startup_pipe = -1; pid = getpid(); break; - } else if (ratelim_exceeded) { - const char *myaddr; - - myaddr = get_ipaddr(newsock); - log("rate limit (%u/%u) on %s port %d " - "exceeded by %s", - options.connections_per_period, - options.connections_period, myaddr, - get_sock_port(newsock, 1), ntop); - free((void *)myaddr); - close(newsock); - ratelim_exceeded = 0; - continue; } else { /* * Normal production daemon. Fork, and have diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 13fb26504000..7da9ce7ef563 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -12,8 +12,7 @@ ServerKeyBits 768 LoginGraceTime 120 KeyRegenerationInterval 3600 PermitRootLogin no -# Deprecated: rate-limit sshd connections to 5 connections per 10 seconds -# ConnectionsPerPeriod 5/10 +# ConnectionsPerPeriod has been deprecated completely # After 10 unauthenticated connections, refuse 30% of the new ones, and # refuse any more than 60 total.