Two patches in Bugzilla (MaxDisplays, wildcard PermitOpen hostname) for inclusion upstream

AG openssh at mzpqnxow.com
Sat Jul 2 16:03:08 AEST 2016


Greetings,

I just wanted to point out that I've submitted two patches complete with
documentation for
some very basic but (IMO) reasonable and necessary features. I'd like to
have these considered
for inclusion in the next OpenSSH release.

--
Configurable MAX_DISPLAYS value via MaxDisplays
https://bugzilla.mindrot.org/show_bug.cgi?id=2580
--
This patch allows the #define MAX_DISPLAYS value to be controlled via an
sshd_config
directive, aptly named 'MaxDisplays'. This is useful when using OpenSSH as
a multi-factor
gateway to forward X11 sessions through a centralized host, specifically
when there are
several thousand users, beyond the default max value of 1000. With this
patch, the default
value of 1000 is used unless explicitly set to another value in sshd_config


--
PermitOpen hostname wildcard
https://bugzilla.mindrot.org/show_bug.cgi?id=2582
--
This simple patch allows for a wildcard symbol to be used as the hostname
in an
sshd_config PermitOpen directive. This is useful when using OpenSSH as a
multi-factor gateway to forward access to a specific service on a large and
effectively
undefined list of hosts "behind" the multi-factor gateway. For example:

PermitOpen *:3389

This would allow an OpenSSH daemon to act as an RDP gateway when it is
impractical
to list each and every host you would like to allow RDP forwards to. The
use case here
is a network with > 1000 machines. This patch very intentionally keeps it
simple- the asterisk
is not a pattern match, it is just a symbol that means 'any host'. There is
no *.domain.com
type logic.

I'm happy to take any feedback on these patches. I've spoken with Red Hat
engineers and
they have built test RPMs for them for my environment, but they will not
officially accept
them unless upstream OpenSSH accepts them into a release.

Thanks, I appreciate the consideration. If anyone has any questions about
the value and
use cases for these patches, please feel free to let me know on or off
list.

AG


More information about the openssh-unix-dev mailing list