sshd_config AllowUsers/DenyUsers - SSH

This is a discussion on sshd_config AllowUsers/DenyUsers - SSH ; Does anyone know if there is a character length limitation in sshd_config for AllowUsers/DenyUsers ? For example, if I have 3000 users that I'd like to insert to AllowUsers, and exceeding 4096 character lenght, will I run into any issues?...

+ Reply to Thread
Results 1 to 3 of 3

Thread: sshd_config AllowUsers/DenyUsers

  1. sshd_config AllowUsers/DenyUsers


    Does anyone know if there is a character length limitation in
    sshd_config for AllowUsers/DenyUsers ? For example, if I have 3000
    users that I'd like to insert to AllowUsers, and exceeding 4096
    character lenght, will I run into any issues?

  2. Re: sshd_config AllowUsers/DenyUsers

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    J4000 wrote:
    > Does anyone know if there is a character length limitation in
    > sshd_config for AllowUsers/DenyUsers ? For example, if I have 3000
    > users that I'd like to insert to AllowUsers, and exceeding 4096
    > character lenght, will I run into any issues?


    I don't know.

    However, I would hesitate to try to add 3000 users to the AllowUsers clause,
    just because there are better ways to solve that problem. You /could/ just
    define a group to your system (say the "SshUsers" group), and add all 3000
    users to it as a suplemental group. Then, name the one group in the
    AllowGroups clause. This gives a much shorter sshd_config clause, and permits
    you to add and subtract legal ssh users through the standard Unix group
    managment tools.

    HTH
    - --
    Lew Pitcher

    Master Codewright & JOAT-in-training | Registered Linux User #112576
    http://pitcher.digitalfreehold.ca/ | GPG public key available by request
    - ---------- Slackware - Because I know what I'm doing. ------


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)
    Comment: Armoured with GnuPG

    iD8DBQFHtN9sagVFX4UWr64RApprAJ9ieM0mzliEpJaVpAVCrl TFHGZSegCg4Qqm
    0gwhU9XtYDmswJyzqB6+xNk=
    =MAo0
    -----END PGP SIGNATURE-----

  3. Re: sshd_config AllowUsers/DenyUsers

    On Feb 14, 6:40 pm, Lew Pitcher wrote:

    > J4000 wrote:
    > > Does anyone know if there is a character length limitation in
    > > sshd_config for AllowUsers/DenyUsers ? For example, if I have 3000
    > > users that I'd like to insert to AllowUsers, and exceeding 4096
    > > character lenght, will I run into any issues?

    >
    > I don't know.
    >
    > However, I would hesitate to try to add 3000 users to the AllowUsers clause,
    > just because there are better ways to solve that problem. You /could/ just
    > define a group to your system (say the "SshUsers" group), and add all 3000
    > users to it as a suplemental group. Then, name the one group in the
    > AllowGroups clause. This gives a much shorter sshd_config clause, and permits
    > you to add and subtract legal ssh users through the standard Unix group
    > managment tools.


    I agree, and there's also the option (with recent versions of OpenSSH)
    to use the negative form: DenyUsers which would be still longer than
    the AllowGroups, but shorter than listing 3k user names.

    Also there is the use of patterns, if the 3k names have something in
    common (unlikely), or the hosts from where they are allowed to login
    are in a subnet (likely); see man sshd_config and ssh_config.

    Regards.
    --
    René Berber

+ Reply to Thread