fix: address high-severity security issues from review

- Use subtle.ConstantTimeCompare for static credential checks to prevent timing side-channel attacks - Cap failCounts (100k) and rememberedCreds (10k) maps with eviction to prevent memory exhaustion from botnet-scale scanning - Sweep expired credentials on each auth attempt - Add configurable max_connections (default 500) with semaphore to limit concurrent connections and prevent goroutine/fd exhaustion Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 16:41:23 +01:00
parent 51fdea0c2f
commit a40110f2f5
6 changed files with 90 additions and 7 deletions
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -24,6 +24,7 @@ type Server struct {
 	authenticator *auth.Authenticator
 	sshConfig     *ssh.ServerConfig
 	logger        *slog.Logger
+	connSem       chan struct{} // semaphore limiting concurrent connections
 }

 func New(cfg config.Config, logger *slog.Logger) (*Server, error) {
@@ -31,6 +32,7 @@ func New(cfg config.Config, logger *slog.Logger) (*Server, error) {
 		cfg:           cfg,
 		authenticator: auth.NewAuthenticator(cfg.Auth),
 		logger:        logger,
+		connSem:       make(chan struct{}, cfg.SSH.MaxConnections),
 	}

 	hostKey, err := loadOrGenerateHostKey(cfg.SSH.HostKeyPath)
@@ -70,7 +72,18 @@ func (s *Server) ListenAndServe(ctx context.Context) error {
 			s.logger.Error("accept error", "err", err)
 			continue
 		}
-		go s.handleConn(conn)
+
+		// Enforce max concurrent connections.
+		select {
+		case s.connSem <- struct{}{}:
+			go func() {
+				defer func() { <-s.connSem }()
+				s.handleConn(conn)
+			}()
+		default:
+			s.logger.Warn("max connections reached, rejecting", "remote_addr", conn.RemoteAddr())
+			conn.Close()
+		}
 	}
 }