[Centos] CentOS 3.1: sshd and pam /etc/security/limits.conf file descriptor settings problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

--=-TqsuXQfFLNKpAM6Ceczj
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Well, I found a workaround if not the answer.  Modify
/etc/ssh/sshd_config and set 'UsePrivilegeSeparation' to no, then
restart sshd.  The default for UsePrivilegeSeparation is yes.

My guess is that, under UsePrivilegeSeparation yes, sshd is changing the
euid to the incoming user AFTER opening the PAM session - thus causing
the user to get the system defaults.  Maybe somebody could provide a
better explanation than me?

Cheers!
Sean

On Mon, 2004-09-13 at 16:57, centos-admin@xxxxxxxxxxx wrote:
> Why can't non-uid 0 users have more than 1024 file descriptors when
> logging in via ssh?
>=20
> I'm trying to allow a user to have a hard limit of 8192 file
> descriptors(system defaults to 1024) via the following setting in
> /etc/security/limits.conf:
> jdoe	hard    nofile          8192
>=20
> But when jdoe logs in via ssh and does 'ulimit -Hn' he gets '1024' as a
> response.  If he tries to set it with 'ulimit -Hn 8192' he gets an
> 'Operation not permitted' error.  If jdoe instead telnets to the box, he
> gets the hard limit of 8192 file descriptors.
>=20
> Here is what happens when I set the hard limit to 512 in limits.conf:
> jdoe	hard    nofile          512
>=20
> When jdoe logs in via ssh, he gets a hard limit of 512 file
> descriptors.  The same goes for telnet.  So ssh is certainly reading the
> limits.conf file and applying the settings, so long as nofile <=3D 1024.
>=20
> Why won't ssh allow users to have more than 1024 file descriptors???
>=20
> Many thanks!
> -Sean
--=20
+--------------------------------------------------------------------+
| Sean Staats      Systems Administrator, Developer
| Questia Media, Inc.               http://www.questia.com
| PGP public key:  http://www.staats.us/sean/keys/qpgp.asc
|"Linux - World domination. Fast."        --Linus Torvalds
+--------------------------------------------------------------------+

--=-TqsuXQfFLNKpAM6Ceczj
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBRiz5J+mhQaC9R8URAsW7AJwPNDINn/2DsLyBok9BxbpDzO/JhQCfYaWp
Xbs04ts2uj10DXJbMp+Vxbw=
=zl7m
-----END PGP SIGNATURE-----

--=-TqsuXQfFLNKpAM6Ceczj--
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux