Bug ID 719338: Concurrent management SSH connections are unlimited

Last Modified: Nov 23, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 16.0.0, 16.0.0.1, 16.0.1

Fixed In:
15.1.1

Opened: May 09, 2018
Severity: 4-Minor

Symptoms

There is no limit to the number of users that can login concurrently onto a BIG-IP system.

Impact

System can potentially run out of memory.

Conditions

Multiple users are logged into the BIG-IP device through SSH at the same time.

Workaround

Provide a way to limit the number of concurrent user SSH sessions.

Fix Information

There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user. -- Command: modify sys global-settings ssh-session-limit [enable/disable] Specifies enable/disable of ssh session limit feature. + Enables the feature; feature is functional with default values. + Defaults: feature is not enabled for admin/root privileged user. + Total session limit for all users is 10 sessions. -- Command: modify sys global-settings ssh-root-session-limit [enable/disable] Specifies enable/disable of SSH session limit feature for root user. + Enables feature for admin/root privileged user. + Total session limit for all users is still 10 sessions. -- Command: modify sys global-settings ssh-max-session-limit <value> Specifies a global maximum number of SSH sessions. + Changes the default global setting limit of 10 to the specified value. -- Command: modify sys global-settings ssh-max-session-limit-per-user <value> Specifies a global maximum number of SSH sessions for each user. + Sets the maximum session limit per user. + Total sessions on the system are still enforced by the setting for ssh-max-session-limit. -- Command: create auth user <> session-limit <value> Specifies a user-specific SSH sessions limit. + Sets the maximum number of sessions for a particular user. + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.

Behavior Change

There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user. -- Command: modify sys global-settings ssh-session-limit [enable/disable] Specifies enable/disable of ssh session limit feature. + Enables the feature; feature is functional with default values. + Defaults: feature is not enabled for admin/root privileged user. + Total session limit for all users is 10 sessions. -- Command: modify sys global-settings ssh-root-session-limit [enable/disable] Specifies enable/disable of SSH session limit feature for root user. + Enables feature for admin/root privileged user. + Total session limit for all users is still 10 sessions. -- Command: modify sys global-settings ssh-max-session-limit <value> Specifies a global maximum number of SSH sessions. + Changes the default global setting limit of 10 to the specified value. -- Command: modify sys global-settings ssh-max-session-limit-per-user <value> Specifies a global maximum number of SSH sessions for each user. + Sets the maximum session limit per user. + Total sessions on the system are still enforced by the setting for ssh-max-session-limit. -- Command: create auth user <> session-limit <value> Specifies a user-specific SSH sessions limit. + Sets the maximum number of sessions for a particular user. + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.