9

I would like to:

  • make a soft 64GB limit for resident memory (so inexperienced users will get their run-amok processes killed, but experienced users can raise the limit for memory hungry processes)
  • raise the hard limit for nofile, but keep the soft limit at 1024 (so if a certain program needs more filehandles, the user can grant them, but run-amok programs will not get them).

As far as I can see, I should be able to do that in /etc/security/limits.conf (or in /etc/security/limits.d/*):

*        soft    rss             64000000
*        hard    nofile          50000
*        soft    nofile          1024

I can, however, not find a way reload these values with out rebooting. I have read that the values are reloaded when logging in; it works when I do su - user but it does not work through ssh user@localhost.

I have the pam_limits.so in /etc/pam.d:

/etc/pam.d/login:session    required   pam_limits.so
/etc/pam.d/sshd:session    required     pam_limits.so
/etc/pam.d/su:session    required   pam_limits.so

I have PAM in sshd_config:

/etc/ssh/sshd_config:UsePAM yes

I know I can set the values using ulimit and sysctl, but I would like to test that the /etc/security/limits.conf is doing the right thing without rebooting.

How can I make sure that the values are being set when people login using ssh without rebooting?

Ole Tange
  • 2,836
  • 5
  • 29
  • 45

2 Answers2

3

Grrr....

UseLogin is not needed.

UsePAM yes is needed.

A restart of sshd is only needed if UsePAM was changed from no to yes.

Disabling my own ~/.ssh/config was needed very much!

I had Control* statements in my ~/.ssh/config which re-used the ssh channel and thus I would not discover the change.

Thanks to Samed Beyribey and quanta, whose help gave me the idea to run ssh -vv which gives very different output when you have Control* statements.

Ole Tange
  • 2,836
  • 5
  • 29
  • 45
2

I have read that the values are reloaded when logging in; it works when I do su - user but it does not work through ssh user@localhost.

The reason is: by default, SSH opening a non-login shell, so limits is not being applied.

To make it uses a login shell, edit your sshd_config file and uncomment/change #UseLogin no to UseLogin yes:

gentoo ~ # grep UseLogin /etc/ssh/sshd_config 
#UseLogin no
gentoo ~ # sed -i.bak 's/#UseLogin no/UseLogin yes/' /etc/ssh/sshd_config 
gentoo ~ # grep UseLogin /etc/ssh/sshd_config 
UseLogin yes

Reload the sshd and try again.

Source: http://znx.no/2011/01/ssh-and-limits/

quanta
  • 50,327
  • 19
  • 152
  • 213