bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-02 23:42 UTC
[Bug 2580] New: Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580
Bug ID: 2580
Summary: Support for MaxDisplays to replace artificial
MAX_DISPLAYS limit
Product: Portable OpenSSH
Version: 7.2p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: openssh at mzpqnxow.com
Created attachment 2821
--> https://bugzilla.mindrot.org/attachment.cgi?id=2821&action=edit
Patch for OpenSSH Portable GitHub master branch to add MaxDisplays
option
Please see the post at
http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-June/035125.html
I have attached the patch, it is also in-lined in the e-mail.
In short, this moves a hardcoded port range limit dealing with X11
forwards to a configuration option called MaxDisplays. The mailing list
post has more details.
This is a request to have this merged in as a feature.
The pull request against the GitHub openssh-portable is available at
https://github.com/openssh/openssh-portable/pull/41
Thanks.
A
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-02 23:43 UTC
[Bug 2580] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580
AG <openssh at mzpqnxow.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |openssh at mzpqnxow.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-04 19:58 UTC
[Bug 2580] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580 --- Comment #1 from AG <openssh at mzpqnxow.com> --- I will implement changes to the patch based on feedback from openssh-unix-dev and RHEL engineers and then report back. It seems that others agree this is a reasonable feature to have. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-04 23:22 UTC
[Bug 2580] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580
AG <openssh at mzpqnxow.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2821|0 |1
is obsolete| |
--- Comment #2 from AG <openssh at mzpqnxow.com> ---
Created attachment 2825
--> https://bugzilla.mindrot.org/attachment.cgi?id=2825&action=edit
Updated X11MaxDisplays patch w/documentation and fixed whitespace
This is an updated patch for anongit OpenSSH that provides
X11MaxDisplays. It includes documentation in sshd_config and a more
consistent coding style including whitespace and variable naming, etc..
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-27 14:37 UTC
[Bug 2580] [PATCH] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2843
--> https://bugzilla.mindrot.org/attachment.cgi?id=2843&action=edit
cleaned up patch from Adam (whitespace, magic number)
Last thing I didn't like in the patch was the usage of magic number
6000 (also in other places in the same file) and few more tabs/spaces
mixture, which I fixed in the last attachment.
Damien, Darren, what do you think about that? Would you have a minute
to have a look if this would be acceptable for upstream to avoid future
incompatibility?
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-14 17:24 UTC
[Bug 2580] [PATCH] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580
AG <openssh at mzpqnxow.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |patch
--- Comment #4 from AG <openssh at mzpqnxow.com> ---
Update:
I understand this didn't make it into 7.3 due to the size of the patch
relative to some of the smaller patches, which were easier to review.
I'm hoping someone will have the chance to review for 7.3px or 7.4. The
majority of the patch is boilerplate (a new integer option in
sshd_config and accompanying field in ServerOptions) and it doesn't
change any behavior unless explicitly used in sshd_config, it just
allows a default setting to be changed by the user, as opposed to
changing a #define and rebuilding.
I realize there haven't been many (any?) requests to the list for this
functionality, but it does seem like something best suited for a config
option by common sense- it's one of the only hard coded 'limits' in
this part of the code, aside from mandatory implementation details and
things having to do with security, which are obviously set and fixed at
specific values for very good reasons.
One could argue that allowing the user to change the limit that is
currently set (MAX_DISPLAYS 1000) has potential stability (and thus
security) implications since it would allow authenticated users to
allocate N ports on the loopback device, but this risk is clearly
documented in the man page and I think it's fair to say that any
sysadmin messing with this setting will understand the risk. It isn't
really too far off from allowing sysadmins to set values like
MaxAuthTries, AllowTcpForwarding, and other variables when it comes to
protecting the user from shooting one's own foot.
As always, if there's anything I can do to help beyond using this patch
in my environment, let me know.
FWIW, this change has been live on (critical) production infrastructure
for at LEAST 2 years now, in an environment supporting > 5000 users,
with many many more concurrent active sessions. This sounds silly since
in retrospect, I should have cleaned up and submitted the patch much
sooner.
Thanks Jakub for the whitespace cleanup and the adjustment of the
'magic number' for the X11 base port and thanks to anyone who is
willing to help in reviewing this for the next release. I would love to
get this into RHEL 7.3 or 7.4 (and other distributions, for the sake of
other users who may need it now or down the line) but until it goes
upstream,. that is unlikely to happen.
Thanks
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-25 00:21 UTC
[Bug 2580] [PATCH] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
https://bugzilla.mindrot.org/show_bug.cgi?id=2580 --- Comment #5 from AG <openssh at mzpqnxow.com> --- Note, this went into RHEL 7.3 but does not appear to be in the official OpenSSH source at this time. It is verified functional in my environment (on RHEL 7.3) -- You are receiving this mail because: You are watching the assignee of the bug.
Reasonably Related Threads
- MaxDisplays configuration option
- [Bug 2582] New: Allow PermitOpen to use a wildcard hostname with a fixed port
- [Bug 2714] New: Allow specifying a key description when loading from stdin
- [Bug 3190] New: Inconsistent handling of private keys without accompanying public keys
- [Bug 2394] New: Provide a global configuration option to disable ControlPersist