Re: sshd_config AllowUsers/DenyUsers

On Feb 14, 6:40 pm, Lew Pitcher wrote:

J4000 wrote:
Does anyone know if there is a character length limitation in
sshd_config for AllowUsers/DenyUsers ? For example, if I have 3000
users that I'd like to insert to AllowUsers, and exceeding 4096
character lenght, will I run into any issues?

I don't know.

However, I would hesitate to try to add 3000 users to the AllowUsers clause,
just because there are better ways to solve that problem. You /could/ just
define a group to your system (say the "SshUsers" group), and add all 3000
users to it as a suplemental group. Then, name the one group in the
AllowGroups clause. This gives a much shorter sshd_config clause, and permits
you to add and subtract legal ssh users through the standard Unix group
managment tools.

I agree, and there's also the option (with recent versions of OpenSSH)
to use the negative form: DenyUsers which would be still longer than
the AllowGroups, but shorter than listing 3k user names.

Also there is the use of patterns, if the 3k names have something in
common (unlikely), or the hosts from where they are allowed to login
are in a subnet (likely); see man sshd_config and ssh_config.

Regards.
--
René Berber
.