Hey everyone, I have been using sftp for quite some time now and we have just hit 256 sftp users. Line 21 of servconf.h reads: #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ I am curious why this is in a header file and not something that is in sshd_config that can be changed without recompile? Thanks in advance! -- James Dennis Harvard Law School "Not everything that counts can be counted, and not everything that can be counted counts."
> Hey everyone, > > I have been using sftp for quite some time now and we have just hit 256 > sftp users. Line 21 of servconf.h reads: > > #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ > > I am curious why this is in a header file and not something that is in > sshd_config that can be changed without recompile? >You have 256 users listed in AllowUser ?! Maybe you need to consider moveing to a denylist instead. - Ben> Thanks in advance! > > -- > James Dennis > Harvard Law School > > "Not everything that counts can be counted, > and not everything that can be counted counts." > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
> > WHY do do you have 256 AllowUser? Is it a case where you > > would be better off with 20 DenyUser lines?> DenyUser is almost always a bad idea. Explicit permits are > much better than denies - denies fail to take account of new > users, and fail open, rather than fail closed.I strongly agree that "default deny, allow specific" is the better answer--and I suspect that's why the reporting site is doing things the way they are. As someone else already noted, though, it would appear that the right answer is to add support for AllowGroup. AllowUser is also not really something that can be a runtime configuration option, since there does need to be a maximum data structure size defined during compilation. If someone really needs more than 256 AllowUser lines in the short term, then they should modify that #define. -- Rip Loomis Brainbench MVP for Internet Security http://www.brainbench.com [Transcript 1923411]
Maybe Matching Threads
- Problem of updating openssh-4.4p1 to openssh-5.5p1 with MAX_ALLOW_USERS option
- Chroot patch (v3.4p1)
- Fwd: Problem of updating openssh-4.4p1 to openssh-5.5p1 with MAX_ALLOW_USERS option
- AllowUsers - proposal for useful variations on the theme
- encrypt authentication credentials with payload in the clear?