Reload /etc/security/limits.conf

Question

I would like to:

make a soft 64GB limit for resident memory (so inexperienced users will get their run-amok processes killed, but experienced users can raise the limit for memory hungry processes)
raise the hard limit for nofile, but keep the soft limit at 1024 (so if a certain program needs more filehandles, the user can grant them, but run-amok programs will not get them).

As far as I can see, I should be able to do that in /etc/security/limits.conf (or in /etc/security/limits.d/*):

*        soft    rss             64000000
*        hard    nofile          50000
*        soft    nofile          1024

I can, however, not find a way reload these values with out rebooting. I have read that the values are reloaded when logging in; it works when I do su - user but it does not work through ssh user@localhost.

I have the pam_limits.so in /etc/pam.d:

/etc/pam.d/login:session    required   pam_limits.so
/etc/pam.d/sshd:session    required     pam_limits.so
/etc/pam.d/su:session    required   pam_limits.so

I have PAM in sshd_config:

/etc/ssh/sshd_config:UsePAM yes

I know I can set the values using ulimit and sysctl, but I would like to test that the /etc/security/limits.conf is doing the right thing without rebooting.

How can I make sure that the values are being set when people login using ssh without rebooting?

Do you have "UsePAM no" in sshd_config? That may cause the problem. — Samed Beyribey, Aug 06 '12 at 12:15
My /etc/ssh/sshd_config has `UsePAM yes`. Good guess, though. — Ole Tange, Aug 06 '12 at 12:24
Can you try restarting the SSH daemon and then see if users sees the new limits? — pkhamre, Aug 06 '12 at 14:17

score 3 · Accepted Answer · answered Aug 06 '12 at 18:38

Grrr....

UseLogin is not needed.

UsePAM yes is needed.

A restart of sshd is only needed if UsePAM was changed from no to yes.

Disabling my own ~/.ssh/config was needed very much!

I had Control* statements in my ~/.ssh/config which re-used the ssh channel and thus I would not discover the change.

Thanks to Samed Beyribey and quanta, whose help gave me the idea to run ssh -vv which gives very different output when you have Control* statements.

quanta · Answer 2 · 2012-08-06T15:47:19.193

I have read that the values are reloaded when logging in; it works when I do su - user but it does not work through ssh user@localhost.

The reason is: by default, SSH opening a non-login shell, so limits is not being applied.

To make it uses a login shell, edit your sshd_config file and uncomment/change #UseLogin no to UseLogin yes:

gentoo ~ # grep UseLogin /etc/ssh/sshd_config 
#UseLogin no
gentoo ~ # sed -i.bak 's/#UseLogin no/UseLogin yes/' /etc/ssh/sshd_config 
gentoo ~ # grep UseLogin /etc/ssh/sshd_config 
UseLogin yes

Reload the sshd and try again.

Source: http://znx.no/2011/01/ssh-and-limits/

Reload /etc/security/limits.conf

2 Answers2