Problem of updating openssh-4.4p1 to openssh-5.5p1 with MAX_ALLOW_USERS option
akulov-aa at ya.ru
Tue Dec 14 20:12:51 EST 2010
The most interesting fact is that openssh-5.5 had installed sucessfully (with large value of MAX_ALLOW_USERS defined), but at the connection any user can see the login prompt, but after entering the login ssh-terminal doesn't give a possibility to input password and exits with error. Also at this time in file /var/log/secure logs the following records:
Dec 9 16:01:59 bankier3 sshd: fatal: mm_request_send: write: Broken pipe
Dec 9 16:08:22 bankier3 sshd: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
With best regards, Alex.
13.12.10, 21:31, "Iain Morgan" <imorgan at nas.nasa.gov>:
On Fri, Dec 10, 2010 at 17:18:00 -0600, ?????? ??????? wrote:
> Hello, Damien.
> I'm sory, may be I have told not exactly.
> I understand, that defined variable MAX_ALLOW_USERS sets the maximum possible strings of "AllowUsers"-type in file "/etc/ssh/sshd_config".
> In the version openssh-4.4p1 changing of this defined option makes possible to include big quality of "AllowUsers"-strings in file "/etc/ssh/sshd_config", but in the version openssh-5.5p1 this changes doesn't give similar results.
> Tell me, please, why it may be occurs in version 5.5p1?
So, to be clear, the issue is that you want to have a large number of
AllowUser statements rather than the need for a large number of
concurrent logins. In that case, I'm not sure why increasing these
constants does not have the same effect as with OpenSSH 4.4. Having said
that, there may be alternative solutions to your issue.
AllowGroups might be a better solution than AllowUsers. You could, for
example, create a group that consists only of those users that are
allowed to login to the system. Or, it that is not acceptable for some
reason, you could create a number of groups.
Besides the limit on the number of entries, AllowUsers has the
disadvantage that you must restart sshd whenever a user is added or
removed from the list of allowed users. There are PAM-based solutions,
such as pam_access, that provide similar functionality but do not
require a restart of sshd. I believe that you indicated you are using
RHEL, which includes pam_access, so you may want to take a look at it.
More information about the openssh-unix-dev