OpenSSH (the book) says this about SSH multiplexing:
Multiplexing is the ability to send more than one signal over a single line or connection. In OpenSSH, multiplexing can re-use an existing outgoing TCP connection for multiple concurrent SSH sessions to a remote SSH server, avoiding the overhead of creating a new TCP connection and reauthenticating each time.
For example, maybe you want to use the Docker CLI on
jump-host.example.org, against a Docker daemon on
docker-host.example.org. You follow
the Docker docs' suggestion
for setting up Docker over SSH, including multiplexing:
After using this setup for a while, you notice that SSHing into
docker-host fails occasionally with an error message like
"Session open refused by peer". You Google and discover that, by
default, OpenSSH has a limit of 10 multiplexed sessions per TCP
connection. Beyond that,
docker-host starts rejecting sessions.
You resolve this by increasing the
MaxSessions setting in
docker-host, to 100,
1,000, or 2,147,483,647 (the max value for a 32-bit signed integer, to
disable this limit entirely).
However, even after bumping
MaxSessions and restarting
sshd service, you still see the error message.
sshd -T shows that
sshd_config is valid and
MaxSessions correctly. What's going on?
The problem is, restarting
sshd doesn't kill existing SSH
docker-host, those existing sessions are
supported by existing
sshd instances. And those existing
processes use the old configuration from
Fixing the immediate problem is easy. Just delete
jump-host. But how
to avoid this next time you update
Part of the problem is
ControlPersist yes. This means
that the master SSH session between
docker-host, the one that all the multiplexed sessions
run on, stays open until you close it manually. Even between
sshd service restarts.
So you change ControlPersist to a time, e.g.
way, if the master session lives for more than 60 minutes, it'll close
as soon as all its multiplexed sessions also close. Which should
happen... at some point? Probably? Fingers crossed.