https://bugzilla.mindrot.org/show_bug.cgi?id=2580
AG <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #4 from AG <[email protected]> --- Update: I understand this didn't make it into 7.3 due to the size of the patch relative to some of the smaller patches, which were easier to review. I'm hoping someone will have the chance to review for 7.3px or 7.4. The majority of the patch is boilerplate (a new integer option in sshd_config and accompanying field in ServerOptions) and it doesn't change any behavior unless explicitly used in sshd_config, it just allows a default setting to be changed by the user, as opposed to changing a #define and rebuilding. I realize there haven't been many (any?) requests to the list for this functionality, but it does seem like something best suited for a config option by common sense- it's one of the only hard coded 'limits' in this part of the code, aside from mandatory implementation details and things having to do with security, which are obviously set and fixed at specific values for very good reasons. One could argue that allowing the user to change the limit that is currently set (MAX_DISPLAYS 1000) has potential stability (and thus security) implications since it would allow authenticated users to allocate N ports on the loopback device, but this risk is clearly documented in the man page and I think it's fair to say that any sysadmin messing with this setting will understand the risk. It isn't really too far off from allowing sysadmins to set values like MaxAuthTries, AllowTcpForwarding, and other variables when it comes to protecting the user from shooting one's own foot. As always, if there's anything I can do to help beyond using this patch in my environment, let me know. FWIW, this change has been live on (critical) production infrastructure for at LEAST 2 years now, in an environment supporting > 5000 users, with many many more concurrent active sessions. This sounds silly since in retrospect, I should have cleaned up and submitted the patch much sooner. Thanks Jakub for the whitespace cleanup and the adjustment of the 'magic number' for the X11 base port and thanks to anyone who is willing to help in reviewing this for the next release. I would love to get this into RHEL 7.3 or 7.4 (and other distributions, for the sake of other users who may need it now or down the line) but until it goes upstream,. that is unlikely to happen. Thanks -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
