MAX_ALLOW_USERS

Loomis, Rip GILBERT.R.LOOMIS at saic.com
Fri Feb 7 01:35:32 EST 2003


> > WHY do do you have 256 AllowUser?   Is it a case where you 
> > would be better off with 20 DenyUser lines?

> DenyUser is almost always a bad idea. Explicit permits are 
> much better than denies - denies fail to take account of new
> users, and fail open, rather than fail closed.

I strongly agree that "default deny, allow specific" is the
better answer--and I suspect that's why the reporting site is
doing things the way they are.  As someone else already noted,
though, it would appear that the right answer is to add support
for AllowGroup.  AllowUser is also not really something that can
be a runtime configuration option, since there does need to be
a maximum data structure size defined during compilation.  If
someone really needs more than 256 AllowUser lines in the short
term, then they should modify that #define.

--
Rip Loomis
Brainbench MVP for Internet Security
http://www.brainbench.com  [Transcript 1923411]




More information about the openssh-unix-dev mailing list