Date: Thu, 20 Nov 2003 16:57:10 -0800 From: Len Sassaman <rabbi@anonymizer.com> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: Help request: problems with a 5.1 server and large numbers of ssh users. Message-ID: <A2F7313E-1BBD-11D8-924D-000A959E7C72@anonymizer.com> In-Reply-To: <Pine.NEB.3.96L.1031120104909.19991E-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1031120104909.19991E-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hmm. Well, it certainly sounds like a resource limit to me, > especially if > it's a nice round number like "150" or "300". However, I'm also > having a > bit of trouble seeing, off the top of my head, which limit it might be. > It sounds like you've got the ones I would think of. A quick skim of > sshd.c suggests that it is pretty careful to document various failure > modes in debugging output. There are one or two failures where it does > not log, and they include the call to pipe() in the server loop -- if > that > fails, it bails without an error, which is a little surprising. Could > you > post server debug output for the first connection to the server that > fails? This would let us "see how far it got"... In particular, > whether > it did spawn a child process, etc. > I have never gotten this to fail when sshd is running in debug mode (i.e., sshd -ddd). However, given that it doesn't fork when run with -d, that still doesn't tell us too much. When I set LogLevel DEBUG3, this is as much info as I am given in the auth.log: Nov 20 16:39:19 clyde sshd[63993]: Failed none for rabbi from 127.0.0.1 port 62701 ssh2 And this is the debug output for the connection, as seen from the client: bash-2.05b# ssh -vvv -l rabbi localhost OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [::1] port 22. socket: Protocol not supported debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host This can't be a system-wide process related resource issue, I don't think, because once a user connects and authenticates, there are no problems of note. I'm leaning toward a socket related limit or user-level limit. However, since sysctl tells me: kern.ipc.maxsockbuf: 262144 kern.ipc.somaxconn: 16384 kern.ipc.numopensockets: 2201 kern.ipc.maxsockets: 49312 I tend to not believe the former, and why the latter would be occurring escapes me as well.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A2F7313E-1BBD-11D8-924D-000A959E7C72>