MAX_ALLOW_USERS

Ben Lindstrom mouring at etoh.eviladmin.org
Fri Feb 7 02:36:40 EST 2003


I think Mr Miller is planning on making them dynamically allocated.  But
Pekka stole my point.=)  I personally see AllowUsers required for adding
small 'oddball' users (not saying the users themselves are oddballs.
<chuckle>)  where {Allow/Deny}Groups is really what people should use
for larger groups of common trait people.

However, I suspect it will be moot in the future.

- Ben


On Thu, 6 Feb 2003, James Dennis wrote:

> Ah, excellent. Looks like I was caught up by the AllowUsers limit and
> didn't think to check for an AllowGroup directive. Is anyone still
> interested in moving this into a config file?
>
> -James
>
> Pekka Savola wrote:
> > On Thu, 6 Feb 2003, James Dennis wrote:
> >
> >>I appreciate the input. The reason we have 256 AllowUser's is because we
> >>are (as stated before) explicitly allowing users to sftp to our systems
> >>and denying the rest. Because we use sftp as our main file transfer
> >>method, we of course have many users that need to be explicitly allowed.
> >>
> >>As Ben is always a source of good info, I'm curious why you would see
> >>this is an abuse? We're probably going to just double that number and
> >>recompile if it looks as though it's not an abuse. Hopefully I'll get
> >>time to whip up a patch to moves that number into sshd_config.
> >
> >
> > I'd certainly just create a provisional group 'sftpusers' and add every
> > user there..
> >
> >
> >>Ben Lindstrom wrote:
> >>
> >>>I think we need to discuss the usage of it before jumping the gun and
> >>>changing it.
> >>>
> >>>WHY do do you have 256 AllowUser?   Is it a case where you would be better
> >>>off with 20 DenyUser lines?
> >>>
> >>>I'd rather see the code (which I think would not be too much of a problem)
> >>>be dynamically allocated if it really needs to be upped, but I think we
> >>>are running into the case of abuse of a feature without understanding it.
> >>>
> >>>- Ben
> >>>
> >>>
> >>>
> >>>On Wed, 5 Feb 2003, Randy Zagar wrote:
> >>>
> >>>
> >>>
> >>>>Or, even better, make AllowUser support netgroups.
> >>>>
> >>>>But I think, from an architecture perspective, that James is right...
> >>>>This kind of parameter should be in sshd_config unless there's a
> >>>>kernel-related limitation that can't be avoided.
> >>>>
> >>>>-RZ
> >>>>
> >>>>Ben Lindstrom wrote:
> >>>>
> >>>>
> >>>>>>Hey everyone,
> >>>>>>
> >>>>>>I have been using sftp for quite some time now and we have just hit 256
> >>>>>>sftp users. Line 21 of servconf.h reads:
> >>>>>>
> >>>>>>#define MAX_ALLOW_USERS         256     /* Max # users on allow list. */
> >>>>>>
> >>>>>>I am curious why this is in a header file and not something that is in
> >>>>>>sshd_config that can be changed without recompile?
> >>>>>>
> >>>>>
> >>>>>
> >>>>>You have 256 users listed in AllowUser ?!  Maybe you need to consider
> >>>>>moveing to a denylist instead.
> >>>>>
> >>>>>- Ben
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Thanks in advance!
> >>>>>>
> >>>>>>--
> >>>>>>James Dennis
> >>>>>>Harvard Law School
> >>>>>>
> >>>>>>"Not everything that counts can be counted,
> >>>>>>and not everything that can be counted counts."
> >>>>>>
> >>>>>>_______________________________________________
> >>>>>>openssh-unix-dev mailing list
> >>>>>>openssh-unix-dev at mindrot.org
> >>>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>>>>>
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>openssh-unix-dev mailing list
> >>>>>openssh-unix-dev at mindrot.org
> >>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>>>
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>openssh-unix-dev mailing list
> >>>>openssh-unix-dev at mindrot.org
> >>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>>>
> >>>
> >>>
> >>>_______________________________________________
> >>>openssh-unix-dev mailing list
> >>>openssh-unix-dev at mindrot.org
> >>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>>
> >>
> >>
> >
>
> --
> James Dennis
> Harvard Law School
> 617-596-7272
>
> "Not everything that counts can be counted,
> and not everything that can be counted counts."
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list