[Bug 1327] New: The limit of 100 forwarded ports is arbitrary and unnecessary

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jul 3 00:26:04 EST 2007


           Summary: The limit of 100 forwarded ports is arbitrary and
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P1
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: archie at dellroad.org

Subject line says it all.

The limit of 100 forwarded ports (e.g., using "-L" flag) is arbitrary
and unnecessary. It is an example of what John Ousterhout would call a
"voodoo constant", i.e., a value randomly chosen by a developer at some
point in time without any basis in science or measurement. It is an
example of the frowned-upon practice of encoding policy into software
(software should encode mechanisms... policy should be left to config
files, command line flags, etc. (i.e., a human)).

This limitation is like having a law stating that you are not allowed
to buy more than 5 dozen eggs at the supermarket. Sure, most people
don't buy more than 60 eggs at a time, but does that mean there needs
to be a law against it?

Motivation: at my company we use SSH port forwarding as part of a cheap
and dirty VPN scheme to establish contact between many machines. Now
that there are more than 100 other machines out there, this scheme has
stopped working. All because of a completely artificial and unnecessary

This limitation is easily worked around, of course: just start two or
more SSH sessions. Kindof like going to the store twice in a row to buy
120 eggs by buying 60 eggs twice. This of course is just more evidence
that this limitation is useless.

So at the minimum, please make this limit configurable in
/etc/ssh/ssh_config, or better yet get rid of it all together. The UNIX
O/S already has mechanisms in place to limit resource utilization by
individual accounts. SSH doesn't need to apply its own additional,
arbitrary limitation.


Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list