[Bug 2282] New: When group member count exceeds 126, config reliant fails
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Sep 25 06:52:12 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2282
Bug ID: 2282
Summary: When group member count exceeds 126, config reliant
fails
Product: Portable OpenSSH
Version: 5.3p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sftp-server
Assignee: unassigned-bugs at mindrot.org
Reporter: rake74 at gmail.com
Match Group sftponly
ChrootDirectory /cust/ftp/secure/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l INFO
Match Address *,!10.* Group *,!sftponly
ForceCommand echo 'External shell access denied.'
These two lines succeed at:
1) when connections are attempted by users in 'sftponly', they're
limited to SFTP via internal-sftp successfully.
2) when connections are attempted from external locations, and the
account is NOT in 'sftponly' group, they're blocked.
Except when the number of users in the sftponly account reaches 127
users. At this point after successfully authenticating, the connection
is ended with the error code 255 from the server.
I have setup a local workaround, but splitting the group, duplicating
match group for new group and tweaking the match address config:
Match Group sftponly
ChrootDirectory /cust/ftp/secure/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l INFO
Match Group sftponly2
ChrootDirectory /cust/ftp/secure/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l INFO
Match Address *,!10.* Group *,!sftponly*
ForceCommand echo 'External shell access denied.'
As long as no new members are added to the group that has 126 users in
it already, then all is well.
It would be best to not have to deal with a limit of 126 to the number
of users in the group.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list