MAX_ALLOW_USERS

Pekka Savola pekkas at netcore.fi
Fri Feb 7 01:45:11 EST 2003 

On Thu, 6 Feb 2003, James Dennis wrote:
> I appreciate the input. The reason we have 256 AllowUser's is because we 
> are (as stated before) explicitly allowing users to sftp to our systems 
> and denying the rest. Because we use sftp as our main file transfer 
> method, we of course have many users that need to be explicitly allowed.
> 
> As Ben is always a source of good info, I'm curious why you would see 
> this is an abuse? We're probably going to just double that number and 
> recompile if it looks as though it's not an abuse. Hopefully I'll get 
> time to whip up a patch to moves that number into sshd_config.

I'd certainly just create a provisional group 'sftpusers' and add every 
user there..

> Ben Lindstrom wrote:
> > I think we need to discuss the usage of it before jumping the gun and
> > changing it.
> > 
> > WHY do do you have 256 AllowUser?   Is it a case where you would be better
> > off with 20 DenyUser lines?
> > 
> > I'd rather see the code (which I think would not be too much of a problem)
> > be dynamically allocated if it really needs to be upped, but I think we
> > are running into the case of abuse of a feature without understanding it.
> > 
> > - Ben
> > 
> > 
> > 
> > On Wed, 5 Feb 2003, Randy Zagar wrote:
> > 
> > 
> >>Or, even better, make AllowUser support netgroups.
> >>
> >>But I think, from an architecture perspective, that James is right...
> >>This kind of parameter should be in sshd_config unless there's a
> >>kernel-related limitation that can't be avoided.
> >>
> >>-RZ
> >>
> >>Ben Lindstrom wrote:
> >>
> >>>>Hey everyone,
> >>>>
> >>>>I have been using sftp for quite some time now and we have just hit 256
> >>>>sftp users. Line 21 of servconf.h reads:
> >>>>
> >>>>#define MAX_ALLOW_USERS         256     /* Max # users on allow list. */
> >>>>
> >>>>I am curious why this is in a header file and not something that is in
> >>>>sshd_config that can be changed without recompile?
> >>>>
> >>>
> >>>
> >>>You have 256 users listed in AllowUser ?!  Maybe you need to consider
> >>>moveing to a denylist instead.
> >>>
> >>>- Ben
> >>>
> >>>
> >>>
> >>>>Thanks in advance!
> >>>>
> >>>>--
> >>>>James Dennis
> >>>>Harvard Law School
> >>>>
> >>>>"Not everything that counts can be counted,
> >>>>and not everything that can be counted counts."
> >>>>
> >>>>_______________________________________________
> >>>>openssh-unix-dev mailing list
> >>>>openssh-unix-dev at mindrot.org
> >>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>>>
> >>>
> >>>
> >>>_______________________________________________
> >>>openssh-unix-dev mailing list
> >>>openssh-unix-dev at mindrot.org
> >>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>
> >>
> >>
> >>_______________________________________________
> >>openssh-unix-dev mailing list
> >>openssh-unix-dev at mindrot.org
> >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>
> > 
> > 
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > 
> 
> 

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the openssh-unix-dev mailing list