Problem of updating openssh-4.4p1 to openssh-5.5p1 with MAX_ALLOW_USERS option

Iain Morgan imorgan at nas.nasa.gov
Tue Dec 14 05:31:24 EST 2010


On Fri, Dec 10, 2010 at 17:18:00 -0600, ?????? ??????? wrote:
> Hello, Damien.
> 
> I'm sory, may be I have told not exactly.
> I understand, that defined variable MAX_ALLOW_USERS sets the maximum possible strings of "AllowUsers"-type in file "/etc/ssh/sshd_config".
> In the version openssh-4.4p1 changing of this defined option makes possible to include big quality of "AllowUsers"-strings in file "/etc/ssh/sshd_config", but in the version openssh-5.5p1 this changes doesn't give similar results.
> Tell me, please, why it may be occurs in version 5.5p1?
>  
> Thanks.
> 

Hello,

So, to be clear, the issue is that you want to have a large number of
AllowUser statements rather than the need for a large number of
concurrent logins. In that case, I'm not sure why increasing these
constants does not have the same effect as with OpenSSH 4.4. Having said
that, there may be alternative solutions to your issue.

AllowGroups might be a better solution than AllowUsers. You could, for
example, create a group that consists only of those users that are
allowed to login to the system. Or, it that is not acceptable for some
reason, you could create a number of groups.

Besides the limit on the number of entries, AllowUsers has the
disadvantage that you must restart sshd whenever a user is added or
removed from the list of allowed users. There are PAM-based solutions,
such as pam_access, that provide similar functionality but do not
require a restart of sshd. I believe that you indicated you are using
RHEL, which includes pam_access, so you may want to take a look at it.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list