Bug 1327

Summary:

The limit of 100 forwarded ports is arbitrary and unnecessary

Product:

Portable OpenSSH

Reporter:

Archie Cobbs <archie>

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm

Priority:

Version:

4.6p1

Hardware:

All

OS:

Linux

Bug Depends on:

Bug Blocks:

1708

Attachments:

Description	Flags
/home/djm/ssh-unlimit-forwards.diff	none

Description Archie Cobbs 2007-07-03 00:25:57 AEST

Subject line says it all.

The limit of 100 forwarded ports (e.g., using "-L" flag) is arbitrary and unnecessary. It is an example of what John Ousterhout would call a "voodoo constant", i.e., a value randomly chosen by a developer at some point in time without any basis in science or measurement. It is an example of the frowned-upon practice of encoding policy into software (software should encode mechanisms... policy should be left to config files, command line flags, etc. (i.e., a human)).

This limitation is like having a law stating that you are not allowed to buy more than 5 dozen eggs at the supermarket. Sure, most people don't buy more than 60 eggs at a time, but does that mean there needs to be a law against it?

Motivation: at my company we use SSH port forwarding as part of a cheap and dirty VPN scheme to establish contact between many machines. Now that there are more than 100 other machines out there, this scheme has stopped working. All because of a completely artificial and unnecessary limit.

This limitation is easily worked around, of course: just start two or more SSH sessions. Kindof like going to the store twice in a row to buy 120 eggs by buying 60 eggs twice. This of course is just more evidence that this limitation is useless.

So at the minimum, please make this limit configurable in /etc/ssh/ssh_config, or better yet get rid of it all together. The UNIX O/S already has mechanisms in place to limit resource utilization by individual accounts. SSH doesn't need to apply its own additional, arbitrary limitation.

Thanks!

Comment 1 Josh Triplett 2008-01-03 16:31:34 AEDT

I agree that this does seem like an arbitrary limit.  However, to address your particular use-case, you might find the new tunnel support useful.

Comment 2 Damien Miller 2010-06-18 12:35:09 AEST

Created attachment 1866 [details]
/home/djm/ssh-unlimit-forwards.diff

dynamically allocate forwards and permitted opens.\n\nUse of xrealloc should be sufficient to avoid integer overflows.

Comment 3 Damien Miller 2010-06-25 17:14:59 AEST

patch applied - will be in OpenSSH-5.6

Comment 4 Damien Miller 2011-01-24 12:33:57 AEDT

Move resolved bugs to CLOSED after 5.7 release