Is there a limit to the number of user entries in AllowUsers that can be given in sshd_config file in Linux?

Is there a limit to the number of user entries in AllowUsers that can be given in sshd_config file in Linux?

I have an SFTP server where I need to restrict users with specific IP addresses or ranges.

To achieve this, I had been appending AllowUsers entries to the sshd_config file like below and there are 180 such entries on the same line:

AllowUsers user1 user2 user3@ipaddress user4@ipaddress/n user5@ipaddres user5@address user5@address

and so on.

The problem is, the server's ssh service has been going down lately. And upon checking the server messages log, the error that causes the service failure is Line 143 too long. Line 143 is the AllowUsers line in my config file. The service seems to go down once the number of entries touches 184.

It seems like adding any more AllowUsers entries is not possible. Is there any kind of limit to the number of entries for AllowUsers?

Please urgently help me out with a solution. I don't think the AllowGroups is an option for me because I need to restrict each user with a different set of IPs.

答案1

Looking through an older version of ssh, like 7.4, we see that error message in servconf.c function load_server_config, where the max line length is 4096 bytes.

However, looking at the handling of AllowUsers lines in the same file seems to suggest that you can simply add more lines of the same type. Eg

AllowUsers user4@ipaddress/n user5@ipaddress
AllowUsers user6@ipaddress/n user7@ipaddress

Note that the array to hold the entries has a fixed size of MAX_ALLOW_USERS i.e. 256 entries, in this version. To get past that limit, you might be able to use Match lines to add more users.

答案2

I'm reading openssh-8.4p1 source code and I don't see any limits imposed on AllowUsers. Please try installing this version and report whether it's helped you or not. You can install it into /usr/local and make it listen on a different port, so that you don't need to mess with your old sshd.

答案3

Thanks a lot to those who put up their inputs here :)

I upgraded my OpenSSH and the limit restriction mentioned in my question is no more an issue now.

I followed the below blogs to complete and troubleshoot my OpenSSH upgrade. I was doing it on Amazon Linux. However, I believe this should work on centos as well.

https://www.tecmint.com/install-openssh-server-from-source-in-linux/

https://blog.jonkimi.com/2020/04/17/Upgrade-openssh-server-on-Ubuntu/

http://blog.chinaunix.net/uid-28813320-id-5786956.html

相关内容