|
| 1 | +--- |
| 2 | +title: Use "MaxStartups" and "MaxSessions" to Troubleshoot OpenSSH Connection Issues |
| 3 | +description: This article explains how to troubleshoot OpenSSH connection issues by using the `MaxStartups` and `MaxSessions` parameters to limit client connections to the OpenSSH Server service. |
| 4 | +ms.date: 10/13/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika, v-appelgatet |
| 9 | +ms.custom: |
| 10 | +- sap:system management components\openssh (including sftp) |
| 11 | +- pcy:WinComm User Experience |
| 12 | +appliesto: |
| 13 | +- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Supported versions of Windows Server</a> |
| 14 | +--- |
| 15 | + |
| 16 | +# How to use "MaxStartups" and "MaxSessions" to troubleshoot OpenSSH connection issues |
| 17 | + |
| 18 | +This guide explains how to use the `MaxStartups` and `MaxSessions` parameters to limit client connections to the OpenSSH Server service. |
| 19 | +These settings help you troubleshoot connection issues and to manage unauthenticated and authenticated SSH sessions, especially in high-load environments. |
| 20 | + |
| 21 | +## Symptoms |
| 22 | + |
| 23 | +You can use `MaxStartups` and `MaxSessions` to address the following types of symptoms. |
| 24 | + |
| 25 | +- Symptom 1: Clients can't connect to the OpenSSH Server service and establish sessions. Additionally, you might see errors such as the following messages: |
| 26 | + |
| 27 | + - Connection reset by peer |
| 28 | + - Exceeded MaxStartups |
| 29 | + - Negotiation failed |
| 30 | + |
| 31 | +- Symptom 2: In an environment that supports session multiplexing (multiple sessions per connection), clients connect and authenticate. However, the server drops the connection. |
| 32 | + |
| 33 | +## Cause |
| 34 | + |
| 35 | +Symptom 1 indicates that too many client applications are connecting to the OpenSSH Server service at once. |
| 36 | + |
| 37 | +Symptom 2 is limited to multiplexing environments, and indicates that the OpenSSH Server service can't support the number of sessions per connection that the clients are using. This symptom can occur after you configure`MaxStartups`. |
| 38 | + |
| 39 | +## How to use the parameters |
| 40 | + |
| 41 | +`MaxStartups`and `MaxSessions` are parameters in the sshd_config file, and function as follows. |
| 42 | + |
| 43 | +### MaxStartups |
| 44 | + |
| 45 | +The `MaxStartups` parameter defines how many concurrent unauthenticated connections the OpenSSH Server service can manage. This setting is especially useful on servers that support multiple parallel SSH connections, such as jump hosts or provisioning servers (such as servers that use Ansible). It's also useful in high-load environments or during brute-force attacks. |
| 46 | + |
| 47 | +The value is a set of three integers separated by colons, in the format `start:rate:full`. The integers represent the following values: |
| 48 | + |
| 49 | +- **start**: The number of unauthenticated connections that the OpenSSH Server service supports before it starts dropping connections. |
| 50 | +- **rate**: Probability that the OpenSSH Server service drops a connection. As long as the number of concurrent sessions is below the `start` value, the service ignores `rate`. However, when the number of concurrent connections surpasses `start`, each additional connection has a `rate`% probability of being dropped. |
| 51 | +- **full**: When the number of concurrent connections surpasses `full`, the service drops all additional connections. |
| 52 | + |
| 53 | +For example, consider a system that's using the configuration `MaxStartups 20:40:60`. The OpenSSH Server service manages connections as follows: |
| 54 | + |
| 55 | +- The service maintains the first 20 concurrent unauthenticated connections. |
| 56 | +- Starting with the 21st connection attempt, there's a 40% probability that the server drops the new connection attempt. |
| 57 | +- After the service reaches 60 concurrent unauthenticated connections, the server rejects all further connection attempts. |
| 58 | + |
| 59 | +### MaxSessions |
| 60 | + |
| 61 | +The `MaxSessions` parameter defines how many open shell, login, or subsystem (for example, sftp) sessions that the OpenSSH Server service permits for each network connection. Setting `MaxSessions` to `1` effectively disables session multiplexing. Setting it to `0` prevents all shell, login, and subsystem sessions, but allows port forwarding. The default value is `10`. |
| 62 | + |
| 63 | +### How to set the connection parameters |
| 64 | + |
| 65 | +To modify these parameters for the Windows OpenSSH Server service, modify the sshd_config file and restart the OpenSSH Server service. To do this, follow these steps: |
| 66 | + |
| 67 | +1. Using an Administrator-level account, open a text editor, and then open **%ProgramData%\ssh\sshd_config**. The default text these settings should resemble the following excerpt: |
| 68 | + |
| 69 | + ```output |
| 70 | + #MaxStartups 10 |
| 71 | + ``` |
| 72 | + |
| 73 | + ```output |
| 74 | + #MaxSessions 10 |
| 75 | + ``` |
| 76 | + |
| 77 | + > [!NOTE] |
| 78 | + > `MaxSessions` typically appears within the `# Authentication` section of the file. `MaxStartups` typically appears in a list of general options later in the file. |
| 79 | +
|
| 80 | +1. To enable `MaxStartup` or `MaxSessions` and set values, edit the text to resemble the following excerpt: |
| 81 | + |
| 82 | + ```output |
| 83 | +
|
| 84 | + MaxStartups 20:40:60 |
| 85 | + ``` |
| 86 | + |
| 87 | + ```output |
| 88 | + MaxSessions 15 |
| 89 | + ``` |
| 90 | + |
| 91 | + > [!NOTE] |
| 92 | + > In this command, `20:40:60` and `15` are example values. Use values that're appropriate for your environment. |
| 93 | +
|
| 94 | +1. Save and close the sshd_config file. |
| 95 | + |
| 96 | +1. To verify the configuration, open a Windows PowerShell Command Prompt window, and then run the following command: |
| 97 | + |
| 98 | + ```powershell |
| 99 | + sshd -t |
| 100 | + ``` |
| 101 | +
|
| 102 | +1. To restart the OpenSSH Server service, open a Windows Command Prompt window, and then run the following command: |
| 103 | +
|
| 104 | + ```console |
| 105 | + NET STOP "OpenSSH SSH Server" && NET START "OpenSSH SSH Server" |
| 106 | + ``` |
| 107 | + |
| 108 | +After the service restarts, it uses the new parameter values. |
| 109 | + |
| 110 | +## More information |
| 111 | + |
| 112 | +- [Windows configurations in sshd_config](/windows-server/administration/OpenSSH/openssh-server-configuration#windows-configurations-in-sshd_config) in "OpenSSH Server configuration for Windows Server and Windows" |
| 113 | +- [sshd_config(5) - Linux manual page](https://man7.org/linux/man-pages/man5/sshd_config.5.html) |
| 114 | +- [sshd_config - OpenSSH daemon configuration file](https://man.openbsd.org/sshd_config) |
| 115 | + |
| 116 | +[!INCLUDE [Third-party disclaimer](../../includes/third-party-disclaimer.md)] |
0 commit comments