[Bug 2282] New: When group member count exceeds 126, config reliant fails

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Sep 25 06:52:12 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2282

            Bug ID: 2282
           Summary: When group member count exceeds 126, config reliant
                    fails
           Product: Portable OpenSSH
           Version: 5.3p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rake74 at gmail.com

Match Group sftponly
        ChrootDirectory /cust/ftp/secure/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -l INFO
Match Address *,!10.* Group *,!sftponly
        ForceCommand echo 'External shell access denied.'

These two lines succeed at:
1) when connections are attempted by users in 'sftponly', they're
limited to SFTP via internal-sftp successfully.
2) when connections are attempted from external locations, and the
account is NOT in 'sftponly' group, they're blocked.

Except when the number of users in the sftponly account reaches 127
users. At this point after successfully authenticating, the connection
is ended with the error code 255 from the server.

I have setup a local workaround, but splitting the group, duplicating
match group for new group and tweaking the match address config:

Match Group sftponly
        ChrootDirectory /cust/ftp/secure/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -l INFO
Match Group sftponly2
        ChrootDirectory /cust/ftp/secure/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -l INFO
Match Address *,!10.* Group *,!sftponly*
        ForceCommand echo 'External shell access denied.'

As long as no new members are added to the group that has 126 users in
it already, then all is well.

It would be best to not have to deal with a limit of 126 to the number
of users in the group.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list