MAX_ALLOW_USERS

James Dennis jdennis at law.harvard.edu
Fri Feb 7 01:57:56 EST 2003


Ah, excellent. Looks like I was caught up by the AllowUsers limit and 
didn't think to check for an AllowGroup directive. Is anyone still 
interested in moving this into a config file?

-James

Pekka Savola wrote:
> On Thu, 6 Feb 2003, James Dennis wrote:
> 
>>I appreciate the input. The reason we have 256 AllowUser's is because we 
>>are (as stated before) explicitly allowing users to sftp to our systems 
>>and denying the rest. Because we use sftp as our main file transfer 
>>method, we of course have many users that need to be explicitly allowed.
>>
>>As Ben is always a source of good info, I'm curious why you would see 
>>this is an abuse? We're probably going to just double that number and 
>>recompile if it looks as though it's not an abuse. Hopefully I'll get 
>>time to whip up a patch to moves that number into sshd_config.
> 
> 
> I'd certainly just create a provisional group 'sftpusers' and add every 
> user there..
> 
> 
>>Ben Lindstrom wrote:
>>
>>>I think we need to discuss the usage of it before jumping the gun and
>>>changing it.
>>>
>>>WHY do do you have 256 AllowUser?   Is it a case where you would be better
>>>off with 20 DenyUser lines?
>>>
>>>I'd rather see the code (which I think would not be too much of a problem)
>>>be dynamically allocated if it really needs to be upped, but I think we
>>>are running into the case of abuse of a feature without understanding it.
>>>
>>>- Ben
>>>
>>>
>>>
>>>On Wed, 5 Feb 2003, Randy Zagar wrote:
>>>
>>>
>>>
>>>>Or, even better, make AllowUser support netgroups.
>>>>
>>>>But I think, from an architecture perspective, that James is right...
>>>>This kind of parameter should be in sshd_config unless there's a
>>>>kernel-related limitation that can't be avoided.
>>>>
>>>>-RZ
>>>>
>>>>Ben Lindstrom wrote:
>>>>
>>>>
>>>>>>Hey everyone,
>>>>>>
>>>>>>I have been using sftp for quite some time now and we have just hit 256
>>>>>>sftp users. Line 21 of servconf.h reads:
>>>>>>
>>>>>>#define MAX_ALLOW_USERS         256     /* Max # users on allow list. */
>>>>>>
>>>>>>I am curious why this is in a header file and not something that is in
>>>>>>sshd_config that can be changed without recompile?
>>>>>>
>>>>>
>>>>>
>>>>>You have 256 users listed in AllowUser ?!  Maybe you need to consider
>>>>>moveing to a denylist instead.
>>>>>
>>>>>- Ben
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Thanks in advance!
>>>>>>
>>>>>>--
>>>>>>James Dennis
>>>>>>Harvard Law School
>>>>>>
>>>>>>"Not everything that counts can be counted,
>>>>>>and not everything that can be counted counts."
>>>>>>
>>>>>>_______________________________________________
>>>>>>openssh-unix-dev mailing list
>>>>>>openssh-unix-dev at mindrot.org
>>>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>openssh-unix-dev mailing list
>>>>>openssh-unix-dev at mindrot.org
>>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>openssh-unix-dev mailing list
>>>>openssh-unix-dev at mindrot.org
>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>
>>>
>>>
>>>_______________________________________________
>>>openssh-unix-dev mailing list
>>>openssh-unix-dev at mindrot.org
>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>
>>
> 

-- 
James Dennis
Harvard Law School
617-596-7272

"Not everything that counts can be counted,
and not everything that can be counted counts."




More information about the openssh-unix-dev mailing list