Account Links: Cart | Your Account | Logout

Skip to content

Red Hat Knowledgebase

Red Hat Knowledgebase Search:

Updated Within the Last:

New Solutions within the last day New Solutions within the last week New Solutions within the last month

Browse by topics:


Click to View a Topic
Red Hat Enterprise Linux > Networking > Issue <<  11 of 354 >>

Solution Tools:


Email a Solution Postcard Printer version Submit a comment on this answer Update notifications Request an answer Back

Article Reference

Article ID: 3504
Last update: 02-08-06
Issue:
Why are ulimit values not being set properly upon SSH (Secure Shell) login?
Resolution:
Release Found: Red Hat Enterprise Linux

Symptom:
You have specified values in /etc/security/limits.conf. However, they are not being set when a user logs in through SSH (Secure Shell). If a user logs in locally or through telnet, the limits are set properly.

Solution:
This problem is due to the manner in which SSH logins are implemented. When a user logs in via SSH, the SSH daemon process forks a separate process to handle that specific connection. As such, the context this forked process runs in is owned by the user who logged in. Since regular users are not allowed to modify their ulimit upwards, the higher value specified in /etc/security/limits.conf fails to take effect. This is because the calling program, i.e. the forked sshd process, lacks the permissions to perform the upward modification.

Two workarounds for this problem exist. One involves a change to the sshd server settings. The other is a command users can issue each time they log in.
  1. Modifying the SSH daemon to remove privilege separation Edit /etc/ssh/sshd_config and find the line 
     #UsePrivilegeSeparation yes
    Change it to read: 
     UsePrivilegeSeparation no
    Similarly
    #PAMAuthenticationViaKbdInt no

    should be changed to read 

     PAMAuthenticationViaKbdInt yes
    Turning off this option could pose a security risk, but only if a vulnerability in the SSH daemon was found and exploited. It means that sshd no longer creates an unprivileged child process to handle incoming connections. If a vulnerability existed and were exploited, someone could gain control of the sshd process, which runs as root. At the moment there are no known vulnerabilities with sshd and if you keep your system updated regularly with up2date, any vulnerabilities that are discovered will be quickly patched.

    For the change to take effect, you'll need to restart the SSH service: 
    # service sshd restart
    After making this change, when users log in via SSH they will automatically have the maximum number of open files that was set in /etc/security/limits.conf. No additional work is necessary.

  2. Using "su - $USER" to properly set the maximum number of open files After users log in via SSH, have them issue the command: 
    su - $USER
    They will be required to enter their password again, but upon doing this the ulimit will be properly set. Users will need to use su- $USER each time they log in with SSH in order to receive the proper file limits.
Note: This problem has been fixed in version 3.8 of SSH which may be included in future releases of Red Hat Enterprise Linux.


How well did this entry answer your question?


good wrong incomplete out of date
Red Hat Enterprise Linux > Networking > Issue <<   11  of  354  >>