MAX_ALLOW_USERS

James Dennis jdennis at law.harvard.edu
Fri Feb 7 01:32:09 EST 2003 

Hey everyone,

I appreciate the input. The reason we have 256 AllowUser's is because we 
are (as stated before) explicitly allowing users to sftp to our systems 
and denying the rest. Because we use sftp as our main file transfer 
method, we of course have many users that need to be explicitly allowed.

As Ben is always a source of good info, I'm curious why you would see 
this is an abuse? We're probably going to just double that number and 
recompile if it looks as though it's not an abuse. Hopefully I'll get 
time to whip up a patch to moves that number into sshd_config.

-James

Ben Lindstrom wrote:
> I think we need to discuss the usage of it before jumping the gun and
> changing it.
> 
> WHY do do you have 256 AllowUser?   Is it a case where you would be better
> off with 20 DenyUser lines?
> 
> I'd rather see the code (which I think would not be too much of a problem)
> be dynamically allocated if it really needs to be upped, but I think we
> are running into the case of abuse of a feature without understanding it.
> 
> - Ben
> 
> 
> 
> On Wed, 5 Feb 2003, Randy Zagar wrote:
> 
> 
>>Or, even better, make AllowUser support netgroups.
>>
>>But I think, from an architecture perspective, that James is right...
>>This kind of parameter should be in sshd_config unless there's a
>>kernel-related limitation that can't be avoided.
>>
>>-RZ
>>
>>Ben Lindstrom wrote:
>>
>>>>Hey everyone,
>>>>
>>>>I have been using sftp for quite some time now and we have just hit 256
>>>>sftp users. Line 21 of servconf.h reads:
>>>>
>>>>#define MAX_ALLOW_USERS         256     /* Max # users on allow list. */
>>>>
>>>>I am curious why this is in a header file and not something that is in
>>>>sshd_config that can be changed without recompile?
>>>>
>>>
>>>
>>>You have 256 users listed in AllowUser ?!  Maybe you need to consider
>>>moveing to a denylist instead.
>>>
>>>- Ben
>>>
>>>
>>>
>>>>Thanks in advance!
>>>>
>>>>--
>>>>James Dennis
>>>>Harvard Law School
>>>>
>>>>"Not everything that counts can be counted,
>>>>and not everything that can be counted counts."
>>>>
>>>>_______________________________________________
>>>>openssh-unix-dev mailing list
>>>>openssh-unix-dev at mindrot.org
>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>
>>>
>>>
>>>_______________________________________________
>>>openssh-unix-dev mailing list
>>>openssh-unix-dev at mindrot.org
>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
>>
>>_______________________________________________
>>openssh-unix-dev mailing list
>>openssh-unix-dev at mindrot.org
>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 
James Dennis
Harvard Law School
617-596-7272

"Not everything that counts can be counted,
and not everything that can be counted counts."

More information about the openssh-unix-dev mailing list