Limit concurrent connections

Matt Johnston matt at ucc.asn.au
Sat Jun 17 01:10:56 WST 2006


On Fri, Jun 16, 2006 at 09:52:05AM -0700, Rich Turner wrote:
> This seems to be working just fine. Thanks for the help.
> 
> I must admit I am not that verse with C programming. Can you tell me what I 
> just did by commenting out "m_close(svr_ses.childpipe)" in svr-auth.c. I 
> would like to know what I did so that if something odd happens I may be able 
> to relate it to the change I made.

Whenever the listening Dropbear process accepts a new
incoming connection, it forks off a separate child process
to handle it. A pipe is kept open between the listening
process and the child process, which is used to indicate
whether authentication has occurred. When the child session
has been authenticated, it closes the pipe and the main
listener can then keep count of how many unauthenticated
sessions exist at a point in time.

By commenting out that line, the listening process won't
ever recognise the process as "authenticated", except until
the child session exits and the pipe is closed. It will
apply the "unauthenticated connection limit" to all
processes regardless of their state. Past that limit it will
simply close connections immediately.

> Also, the error message that I receive when a second client attempts to 
> connect is "dbclient: connection to root at rich-laptop:22 exited: Failed to get 
> remote version". I would prefer that the error message indicate that I have 
> exceeded the maximum number of concurrent connections. I have found in 
> common.session.c where I can change the text, but I do not want to change it 
> if this would be a valid error for another reason other than maximum 
> connections exceeding. Under what circumstances would I get this error?

The current error message is somewhat misleading. It
basically happens any time there's a connection failure in
the earliest part of the session setup. In this case, the
server is closing the connection immediately (since that's
most appropriate for closing pre-auth connections).
Something like "Remote host closed the connection" is
probably more appropriate. To send a specific "connection
limit exceeded" type message the server would have to send a
more useful disconnect message, though Dropbear is currently
a bit lacking in that area - it's on the todo list.

Matt


More information about the Dropbear mailing list