[Bug 2580] [PATCH] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Aug 15 03:24:13 AEST 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2580

AG <openssh at mzpqnxow.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |patch

--- Comment #4 from AG <openssh at mzpqnxow.com> ---
Update:

I understand this didn't make it into 7.3 due to the size of the patch
relative to some of the smaller patches, which were easier to review.
I'm hoping someone will have the chance to review for 7.3px or 7.4. The
majority of the patch is boilerplate (a new integer option in
sshd_config and accompanying field in ServerOptions) and it doesn't
change any behavior unless explicitly used in sshd_config, it just
allows a default setting to be changed by the user, as opposed to
changing a #define and rebuilding.

I realize there haven't been many (any?) requests to the list for this
functionality, but it does seem like something best suited for a config
option by common sense- it's one of the only hard coded 'limits' in
this part of the code, aside from mandatory implementation details and
things having to do with security, which are obviously set and fixed at
specific values for very good reasons. 

One could argue that allowing the user to change the limit that is
currently set (MAX_DISPLAYS 1000) has potential stability (and thus
security) implications since it would allow authenticated users to
allocate N ports on the loopback device, but this risk is clearly
documented in the man page and I think it's fair to say that any
sysadmin messing with this setting will understand the risk. It isn't
really too far off from allowing sysadmins to set values like
MaxAuthTries, AllowTcpForwarding, and other variables when it comes to
protecting the user from shooting one's own foot.

As always, if there's anything I can do to help beyond using this patch
in my environment, let me know.

FWIW, this change has been live on (critical) production infrastructure
for at LEAST 2 years now, in an environment supporting > 5000 users,
with many many more concurrent active sessions. This sounds silly since
in retrospect, I should have cleaned up and submitted the patch much
sooner.

Thanks Jakub for the whitespace cleanup and the adjustment of the
'magic number' for the X11 base port and thanks to anyone who is
willing to help in reviewing this for the next release. I would love to
get this into RHEL 7.3 or 7.4 (and other distributions, for the sake of
other users who may need it now or down the line) but until it goes
upstream,. that is unlikely to happen.

Thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list