Problem: SSH Connection Failures on UCS Primary Nodes Caused by OpenSSH `MaxStartups` Limits

Knowledge Base Community
, , ,
1

Problem

In larger UCS environments, intermittent SSH connection failures may occur when connecting to the Primary Directory Node. This affects both:

  • Interactive SSH connections from clients such as Windows workstations
  • Automated UCS internal communication using SSH, for example SYSVOL synchronization via rsync over SSH

A typical symptom is:

  • The first SSH connection attempt fails immediately
  • A second attempt succeeds without further issues

The issue may also appear sporadically during automatic SYSVOL synchronization jobs on Replica Nodes.

Example log entries from /var/log/univention/sysvol-sync.log:

kex_exchange_identification: read: Connection reset by peer
Connection reset by [IP address] port 22

rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(232) [Receiver=3.2.7]

Root Cause

The issue is caused by OpenSSH connection throttling on the Primary Directory Node.

The SSH daemon (sshd) limits the number of concurrent unauthenticated connections using the MaxStartups parameter. Once the limit is reached, additional connections are randomly dropped until existing sessions complete authentication.

The following entries in /var/log/auth.log clearly indicate this behavior:

2026-04-05T06:35:07+02:00 [hostname] sshd[1445]: error: beginning MaxStartups throttling
2026-04-05T06:35:07+02:00 [hostname] sshd[1445]: drop connection #10 from [internal-ip]:56248 on [public-ip]:22 past MaxStartups

2026-04-09T15:00:50+02:00 [hostname] sshd[1443]: error: beginning MaxStartups throttling
2026-04-09T15:00:50+02:00 [hostname] sshd[1443]: drop connection #12 from [internal-ip]:35550 on [public-ip]:22 past MaxStartups

In the affected environment, the UCS system still used the default OpenSSH configuration because the related UCR variables were unset:

ucr search --brief ssh | grep -iE 'startup|session'

sshd/MaxSessions: <empty>
sshd/MaxStartups: <empty>

The OpenSSH defaults are:

MaxSessions 10
MaxStartups 10:30:100

Meaning:

  • Only 10 concurrent unauthenticated SSH connections are allowed before throttling starts
  • Starting at 10 parallel connections, 30% of new incoming connections are randomly dropped
  • At 100 concurrent unauthenticated connections, all additional connections are rejected

In large UCS environments with many Replica Nodes, these defaults may no longer be sufficient.

Example:

udm computers/domaincontroller_slave list | grep -c "^DN:"
207

In this environment, more than 200 Replica Nodes regularly established SSH connections to the Primary Directory Node for SYSVOL synchronization. Additional administrator or client SSH sessions further increased the number of concurrent connections.

Investigation

The issue can be identified by reviewing the following components:

1. Check SSH throttling events

Inspect /var/log/auth.log for messages similar to:

error: beginning MaxStartups throttling
drop connection #<number> past MaxStartups

2. Verify current UCR settings

ucr search --brief ssh | grep -iE 'startup|session'

If both variables are unset, the OpenSSH defaults apply.

3. Review OpenSSH parameter descriptions

ucr info sshd/MaxSessions
ucr info sshd/MaxStartups

The OpenSSH manual (man sshd_config) describes the parameters as follows:

MaxSessions

Specifies the maximum number of open shell, login or subsystem sessions permitted per network connection.
Default: 10

MaxStartups

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
Default: 10:30:100

Solution

Increase the SSH connection limits using Univention Configuration Registry (UCR) variables.

Example configuration:

  • ucr set sshd/MaxStartups="100:30:200"
  • ucr set sshd/MaxSessions="100"
  • systemctl restart sshd.service

Explanation of the selected values:

  • MaxStartups="100:30:200"

    • SSH throttling starts only after 100 concurrent unauthenticated connections
    • 30% of additional connections are randomly dropped between 100 and 200 connections
    • All additional connections are rejected above 200 concurrent connections

  • MaxSessions="100"

    • Allows up to 100 concurrent shell, login, or subsystem sessions per network connection

After restarting the SSH daemon, the resulting configuration should look similar to:

  • grep -E 'MaxSession|MaxStartup' /etc/ssh/sshd_config
MaxSessions 100
MaxStartups 100:30:200

Recommendation

In larger UCS environments, especially environments with many Replica Nodes or frequent automated SSH-based synchronization jobs, the default OpenSSH limits may be too restrictive.

Administrators should review and adjust:

  • sshd/MaxStartups
  • sshd/MaxSessions

according to the size and workload of the environment.

1 Like