SSH Session Limit

An administrator can set and modify the number of SSH sessions allowed:

  • system-wide (default is 10 if not set)
  • for a user (default set to the system-wide setting)

Note

The default number of SSH sessions allowed per IP source is limited to 10. This means that if a user SSH session limit is higher than this limit, the user session origin needs to be from a different IP source.

Best practice is to set the system-wide SSH session limit first as this will be the default for any new users created on the system. Also note that the per user SSH session limit cannot be set higher than the system-wide SSH session limit.

To see the current system-wide SSH limit, use:

system ssh_session_limit

To set the system-wide SSH limit:

system ssh_session_limit set <number>

This system wide value will restrict the per user limit that can be set.

When a user is added and no session limit is added, the user’s number of SSH sessions is set to the default system wide default limit of 10. It is recommended to also set the user’s session limit.

To set the SSH session limit for a user:

user credential_policy session_limit <username> <number>

where <number> cannot be larger than the system wide session limit, if it has been set.

The current SSH session limit for users can be seen by using the user list command, for example:

platform@drp32:~$ user credential_policy session_limit joebrown 5
platform@drp32:~$ user list
   user:
     joebrown:
       rights: value not set

   security_policy:
     joebrown:
       account_locked: No
       auto_inactive_account_lockout: 35
       ssh_connection_limit: 5

platform@drp32:~$

If a user has sessions open while the session limit is set, the limit in affect when new sessions are opened.