Sean Staats
2004-Sep-13 21:57 UTC
[Centos] CentOS 3.1: sshd and pam /etc/security/limits.conf file descriptor settings problem
Why can't non-uid 0 users have more than 1024 file descriptors when logging in via ssh? I'm trying to allow a user to have a hard limit of 8192 file descriptors(system defaults to 1024) via the following setting in /etc/security/limits.conf: jdoe hard nofile 8192 But when jdoe logs in via ssh and does 'ulimit -Hn' he gets '1024' as a response. If he tries to set it with 'ulimit -Hn 8192' he gets an 'Operation not permitted' error. If jdoe instead telnets to the box, he gets the hard limit of 8192 file descriptors. Here is what happens when I set the hard limit to 512 in limits.conf: jdoe hard nofile 512 When jdoe logs in via ssh, he gets a hard limit of 512 file descriptors. The same goes for telnet. So ssh is certainly reading the limits.conf file and applying the settings, so long as nofile <= 1024. Why won't ssh allow users to have more than 1024 file descriptors??? Many thanks! -Sean -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20040913/04023946/attachment-0003.sig>
Sean Staats
2004-Sep-13 23:27 UTC
[Centos] CentOS 3.1: sshd and pam /etc/security/limits.conf file descriptor settings problem
Well, I found a workaround if not the answer. Modify /etc/ssh/sshd_config and set 'UsePrivilegeSeparation' to no, then restart sshd. The default for UsePrivilegeSeparation is yes. My guess is that, under UsePrivilegeSeparation yes, sshd is changing the euid to the incoming user AFTER opening the PAM session - thus causing the user to get the system defaults. Maybe somebody could provide a better explanation than me? Cheers! Sean On Mon, 2004-09-13 at 16:57, centos-admin at caosity.org wrote:> Why can't non-uid 0 users have more than 1024 file descriptors when > logging in via ssh? > > I'm trying to allow a user to have a hard limit of 8192 file > descriptors(system defaults to 1024) via the following setting in > /etc/security/limits.conf: > jdoe hard nofile 8192 > > But when jdoe logs in via ssh and does 'ulimit -Hn' he gets '1024' as a > response. If he tries to set it with 'ulimit -Hn 8192' he gets an > 'Operation not permitted' error. If jdoe instead telnets to the box, he > gets the hard limit of 8192 file descriptors. > > Here is what happens when I set the hard limit to 512 in limits.conf: > jdoe hard nofile 512 > > When jdoe logs in via ssh, he gets a hard limit of 512 file > descriptors. The same goes for telnet. So ssh is certainly reading the > limits.conf file and applying the settings, so long as nofile <= 1024. > > Why won't ssh allow users to have more than 1024 file descriptors??? > > Many thanks! > -Sean-- +--------------------------------------------------------------------+ | Sean Staats Systems Administrator, Developer | Questia Media, Inc. http://www.questia.com | PGP public key: http://www.staats.us/sean/keys/qpgp.asc |"Linux - World domination. Fast." --Linus Torvalds +--------------------------------------------------------------------+ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20040913/bb50fa61/attachment-0003.sig>
Sean Staats
2004-Sep-14 14:50 UTC
[Centos] CentOS 3.1: sshd and pam /etc/security/limits.conf file descriptor settings problem
Actually, I think sshd is changing the euid to the incoming user BEFORE opening the PAM session. This makes more sense because a non-priveleged user cannot change the # file descriptors above 1024, only root can. Turning UsePrivilegeSeparation off makes sshd open the PAM session as root, thus changing # file desc. before turning it over to the non-privileged user. Keep in mind this is just a best guess explanation. :-) Cheers! -Sean On Mon, 2004-09-13 at 18:27, centos-admin at caosity.org wrote:> Well, I found a workaround if not the answer. Modify > /etc/ssh/sshd_config and set 'UsePrivilegeSeparation' to no, then > restart sshd. The default for UsePrivilegeSeparation is yes. > > My guess is that, under UsePrivilegeSeparation yes, sshd is changing the > euid to the incoming user AFTER opening the PAM session - thus causing > the user to get the system defaults. Maybe somebody could provide a > better explanation than me? > > Cheers! > Sean > > On Mon, 2004-09-13 at 16:57, centos-admin at caosity.org wrote: > > Why can't non-uid 0 users have more than 1024 file descriptors when > > logging in via ssh? > > > > I'm trying to allow a user to have a hard limit of 8192 file > > descriptors(system defaults to 1024) via the following setting in > > /etc/security/limits.conf: > > jdoe hard nofile 8192 > > > > But when jdoe logs in via ssh and does 'ulimit -Hn' he gets '1024' as a > > response. If he tries to set it with 'ulimit -Hn 8192' he gets an > > 'Operation not permitted' error. If jdoe instead telnets to the box, he > > gets the hard limit of 8192 file descriptors. > > > > Here is what happens when I set the hard limit to 512 in limits.conf: > > jdoe hard nofile 512 > > > > When jdoe logs in via ssh, he gets a hard limit of 512 file > > descriptors. The same goes for telnet. So ssh is certainly reading the > > limits.conf file and applying the settings, so long as nofile <= 1024. > > > > Why won't ssh allow users to have more than 1024 file descriptors??? > > > > Many thanks! > > -Sean