[Bug 1213] ssh-keyscan exits in mid-way

Wed Nov 30 17:12:55 EST 2011

https://bugzilla.mindrot.org/show_bug.cgi?id=1213

--- Comment #42 from Daniel Richard G. <skunk at iSKUNK.ORG> 2011-11-30 17:12:55 EST ---
(In reply to comment #41)
> 
> The number of ways that key access can be terminated keeps increasing,
> doesn't it?

I hope it won't be necessary to enumerate them all before this bug can
be closed!

> My oops.  I have had my focus redirected to other projects and,
> besides, I'm very lazy (;-}).
> 
> Dumb me, I thought at least a question or two would be forthcoming from
> the OpenSSH folks.  Guess not. I saw the mailing list reference in the
> README and promptly forgot about it.  I will send the patch there.  I
> apologize for the slowness.

Hey, it's your patch. All the fame and glory will go to you ;-)

> Question for you.  The ssh-keyscan code currently limits the maximum
> number of used file descriptors to <256.  The biggest problem that I've
> seen with that number is, if you ever have a very large number of down
> hosts (which we have had), the code uses the available fds and has to
> wait for a '-Tn' timeout on one of them to start another key access.
> I've made a local modification that changes that number to 512.  The
> code seems smart enough so that, if the OS has smaller limits, nothing
> will break.  Right now Debian defaults to 1024 fds max and (at least
> our) Redhat to 20480.  So 512 is a modest increase.  Would you have an
> opinion on this?

Debian has 1024 fds max per process, or across the entire system? (If a
local DoS attack were really as easy as calling open() ~1000 times...)

If the limit is for the whole system, that would be a good reason to
make this an option, or a recognized environment variable. If for a
single process, then just call sysconf(_SC_OPEN_MAX) and go to town.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.