Why can't I set the ulimit value in SSH (Secure Shell) logon?

Some questions on SuSE may need another reference: http://blog.chinaunix.net/u2/64804/showart.php? Id = 2026903

Related versions: Red Hat Enterprise Linux

 

Symptom:

 

If you set the value in the file/etc/security/limits. conf. However, if you log on to the system through SSH. The setting does not take effect. If you use Telnet or local logon, the settings take effect.

 

Solution:

 

This problem is caused by SSH logon. When a user logs on via SSH, the SSH daemon creates a new process to process the connection. In this way, the context of the process will be used by the user. This should be because normal users cannot add their ulimit restrictions. Therefore, a high value in the file/etc/security/limits. conf cannot be activated. This is because the called program, such as sshd. The permission to modify attributes is restricted.

 

There are currently two solutions to this problem. Step 1: Modify the settings of the sshd server. The other step is to run the command every time you log on.

 

1. modify the configuration file/etc/ssh/sshd_config of the SSH daemon to disable privileged isolation. Modify as follows:

 

      #UsePrivilegeSeparation yes

 

Change it.

 

      UsePrivilegeSeparation no

 

And modify

 

      #PAMAuthenticationViaKbdInt no

 

After modification

 

      PAMAuthenticationViaKbdInt yes

 

Disabling these options poses some security risks. However, this only happens when the SSH daemon vulnerability is discovered and exploited. If it is disabled, sshd does not create a non-privileged sub-process to process the inbound connection. If the vulnerability exists and is exploited, someone can control the sshd process, which runs as root. Up to now, there are no known vulnerabilities. If you often use up2date to upgrade your system, any vulnerabilities will be quickly corrected after detection.

 

To make the change take effect, You Need To Restart sshd.

 

         # service sshd restart

 

After the setting is changed, after the user logs in through SSH, the maximum number of files opened for these sessions is set according to the/etc/security/limits. conf file. No additional operations are required.

 

2. Use "Su-$ user" to set the maximum number of opened files. Use the following command after logging in through SSH:

 

         su - $USER

 

The user is asked to enter the password again. The above operation will make the ulimit correctly set. You will need to run Su-$ user each time you log on. In order to correctly set file restrictions.

 

Note: this problem has been solved in SSH 3.8. In addition, Red Hat Enterprise Linux will adopt this version later.