openssh bugs - Jul 2007 - [Bug 1327] New: The limit of 100 forwarded ports is arbitrary and unnecessary

http://bugzilla.mindrot.org/show_bug.cgi?id=1327

           Summary: The limit of 100 forwarded ports is arbitrary and
                    unnecessary
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P1
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: archie at dellroad.org


Subject line says it all.

The limit of 100 forwarded ports (e.g., using "-L" flag) is arbitrary
and unnecessary. It is an example of what John Ousterhout would call a
"voodoo constant", i.e., a value randomly chosen by a developer at
some
point in time without any basis in science or measurement. It is an
example of the frowned-upon practice of encoding policy into software
(software should encode mechanisms... policy should be left to config
files, command line flags, etc. (i.e., a human)).

This limitation is like having a law stating that you are not allowed
to buy more than 5 dozen eggs at the supermarket. Sure, most people
don't buy more than 60 eggs at a time, but does that mean there needs
to be a law against it?

Motivation: at my company we use SSH port forwarding as part of a cheap
and dirty VPN scheme to establish contact between many machines. Now
that there are more than 100 other machines out there, this scheme has
stopped working. All because of a completely artificial and unnecessary
limit.

This limitation is easily worked around, of course: just start two or
more SSH sessions. Kindof like going to the store twice in a row to buy
120 eggs by buying 60 eggs twice. This of course is just more evidence
that this limitation is useless.

So at the minimum, please make this limit configurable in
/etc/ssh/ssh_config, or better yet get rid of it all together. The UNIX
O/S already has mechanisms in place to limit resource utilization by
individual accounts. SSH doesn't need to apply its own additional,
arbitrary limitation.

Thanks!


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1327





--- Comment #1 from Josh Triplett <josh at freedesktop.org>  2008-01-03
16:31:34 ---
I agree that this does seem like an arbitrary limit.  However, to
address your particular use-case, you might find the new tunnel support
useful.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1327

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1708

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1327

--- Comment #2 from Damien Miller <djm at mindrot.org>  ---
Created attachment 1866
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1866
/home/djm/ssh-unlimit-forwards.diff

dynamically allocate forwards and permitted opens.\n\nUse of xrealloc
should be sufficient to avoid integer overflows.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1327

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1866|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1327

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org>  ---
patch applied - will be in OpenSSH-5.6

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1327

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:57
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.