为什么openssh6.6p1 不能获取ulimit 值

dr12456

请高手帮忙看下，是我设置问题还是软件问题。
因安全需要将openssh 升级到最新版，因设备较多，编译rpm安装会存在依赖关系，使用源码安装又觉得麻烦。当时使用的源码安装。现在遇到问题如下。

使用ssh 登录主机后，用户不能获取到ulimit 值。这里我设置了open files 为102400，但登录后值为1024.  su - 切换后可正常获取到设置的值。root也存在同样问题。

sshd_config默认，未配置。

以下是我测试的情况

1. 
   
2. [moon@MOON ~]$ ulimit -n
   
3. 102400
   
4. [moon@MOON ~]$ exit
   
5. logout
   
6. You have new mail in /var/spool/mail/moon
   
7. [moon@MOON ~]$ ssh 192.168.180.129
   
8. moon@192.168.180.129's password:
   
9. Last login: Fri Aug 29 10:30:51 2014 from 192.168.180.129
   
10. [moon@MOON ~]$ ulimit -n
    
11. 1024
    
12. [moon@MOON ~]$ su - moon
    
13. Password:
    
14. [moon@MOON ~]$ ulimit -n
    
15. 102400
    
16. [moon@MOON ~]$ ssh 192.168.180.129
    
17. moon@192.168.180.129's password:
    
18. Last login: Fri Aug 29 10:44:18 2014 from 192.168.180.129
    
19. [moon@MOON ~]$ ulimit -n
    
20. 1024
    
21. [moon@MOON ~]$ ssh -V
    
22. OpenSSH_6.6p1, OpenSSL 1.0.0-fips 29 Mar 2010
    
23. [moon@MOON ~]$ ssh 192.168.180.129 -l root
    
24. root@192.168.180.129's password:
    
25. Last login: Fri Aug 29 10:03:09 2014 from 192.168.180.129
    
26. [root@MOON ~]# ulimit -n
    
27. 1024
    
28. [root@MOON ~]# su - root
    
29. [root@MOON ~]# ulimit -n
    
30. 102400
    
31. [root@MOON ~]# service sshd restart
    
32. starting /usr/local/openssh-6.6p1/sbin/sshd... \c
    
33. done.
    
34. [root@MOON ~]# ssh 192.168.180.129 -l moon
    
35. no such identity: /root/.ssh/kdump_id_rsa: No such file or directory
    
36. moon@192.168.180.129's password:
    
37. Last login: Fri Aug 29 10:45:12 2014 from 192.168.180.129
    
38. [moon@MOON ~]$ ulimit -n
    
39. 102400
    
40. [moon@MOON ~]$ exit
    
41. logout
    
42. Connection to 192.168.180.129 closed.
    
43. [root@MOON ~]# ulimit -n
    
44. 102400
    
45. [root@MOON ~]# exit
    
46. logout
    
47. [root@MOON ~]# ulimit -n
    
48. 1024
    
49. [root@MOON ~]# service sshd restart
    
50. starting /usr/local/openssh-6.6p1/sbin/sshd... \c
    
51. done.
    
52. [root@MOON ~]# ssh 192.168.180.129 -l moon
    
53. no such identity: /root/.ssh/kdump_id_rsa: No such file or directory
    
54. moon@192.168.180.129's password:
    
55. Last login: Fri Aug 29 10:50:22 2014 from 192.168.180.129
    
56. [moon@MOON ~]$ ulimit -n
    
57. 1024
    
58. [moon@MOON ~]$

复制代码

以下是sshd_config的配置

1. [root@MOON ~]# cat /usr/local/openssh-6.6p1/etc/sshd_config
   
2. #       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
   
3. 
   
4. # This is the sshd server system-wide configuration file.  See
   
5. # sshd_config(5) for more information.
   
6. 
   
7. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
   
8. 
   
9. # The strategy used for options in the default sshd_config shipped with
   
10. # OpenSSH is to specify options with their default value where
    
11. # possible, but leave them commented.  Uncommented options override the
    
12. # default value.
    
13. 
    
14. #Port 22
    
15. #AddressFamily any
    
16. #ListenAddress 0.0.0.0
    
17. #ListenAddress ::
    
18. 
    
19. # The default requires explicit activation of protocol 1
    
20. #Protocol 2
    
21. 
    
22. # HostKey for protocol version 1
    
23. #HostKey /usr/local/etc/ssh_host_key
    
24. # HostKeys for protocol version 2
    
25. #HostKey /usr/local/etc/ssh_host_rsa_key
    
26. #HostKey /usr/local/etc/ssh_host_dsa_key
    
27. #HostKey /usr/local/etc/ssh_host_ecdsa_key
    
28. #HostKey /usr/local/etc/ssh_host_ed25519_key
    
29. 
    
30. # Lifetime and size of ephemeral version 1 server key
    
31. #KeyRegenerationInterval 1h
    
32. #ServerKeyBits 1024
    
33. 
    
34. # Ciphers and keying
    
35. #RekeyLimit default none
    
36. 
    
37. # Logging
    
38. # obsoletes QuietMode and FascistLogging
    
39. #SyslogFacility AUTH
    
40. #LogLevel INFO
    
41. 
    
42. # Authentication:
    
43. 
    
44. #LoginGraceTime 2m
    
45. #PermitRootLogin yes
    
46. #StrictModes yes
    
47. #MaxAuthTries 6
    
48. #MaxSessions 10
    
49. 
    
50. #RSAAuthentication yes
    
51. #PubkeyAuthentication yes
    
52. 
    
53. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
    
54. # but this is overridden so installations will only check .ssh/authorized_keys
    
55. AuthorizedKeysFile      .ssh/authorized_keys
    
56. 
    
57. #AuthorizedPrincipalsFile none
    
58. 
    
59. #AuthorizedKeysCommand none
    
60. #AuthorizedKeysCommandUser nobody
    
61. 
    
62. # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
    
63. #RhostsRSAAuthentication no
    
64. # similar for protocol version 2
    
65. #HostbasedAuthentication no
    
66. # Change to yes if you don't trust ~/.ssh/known_hosts for
    
67. # RhostsRSAAuthentication and HostbasedAuthentication
    
68. #IgnoreUserKnownHosts no
    
69. # Don't read the user's ~/.rhosts and ~/.shosts files
    
70. #IgnoreRhosts yes
    
71. 
    
72. # To disable tunneled clear text passwords, change to no here!
    
73. #PasswordAuthentication yes
    
74. #PermitEmptyPasswords no
    
75. 
    
76. # Change to no to disable s/key passwords
    
77. #ChallengeResponseAuthentication yes
    
78. 
    
79. # Kerberos options
    
80. #KerberosAuthentication no
    
81. #KerberosOrLocalPasswd yes
    
82. #KerberosTicketCleanup yes
    
83. #KerberosGetAFSToken no
    
84. 
    
85. # GSSAPI options
    
86. #GSSAPIAuthentication no
    
87. #GSSAPICleanupCredentials yes
    
88. 
    
89. # Set this to 'yes' to enable PAM authentication, account processing,
    
90. # and session processing. If this is enabled, PAM authentication will
    
91. # be allowed through the ChallengeResponseAuthentication and
    
92. # PasswordAuthentication.  Depending on your PAM configuration,
    
93. # PAM authentication via ChallengeResponseAuthentication may bypass
    
94. # the setting of "PermitRootLogin without-password".
    
95. # If you just want the PAM account and session checks to run without
    
96. # PAM authentication, then enable this but set PasswordAuthentication
    
97. # and ChallengeResponseAuthentication to 'no'.
    
98. #UsePAM no
    
99. 
    
100. #AllowAgentForwarding yes
     
101. #AllowTcpForwarding yes
     
102. #GatewayPorts no
     
103. #X11Forwarding no
     
104. #X11DisplayOffset 10
     
105. #X11UseLocalhost yes
     
106. #PermitTTY yes
     
107. #PrintMotd yes
     
108. #PrintLastLog yes
     
109. #TCPKeepAlive yes
     
110. #UseLogin no
     
111. UsePrivilegeSeparation sandbox          # Default for new installations.
     
112. #PermitUserEnvironment no
     
113. #Compression delayed
     
114. #ClientAliveInterval 0
     
115. #ClientAliveCountMax 3
     
116. #UseDNS yes
     
117. #PidFile /var/run/sshd.pid
     
118. #MaxStartups 10:30:100
     
119. #PermitTunnel no
     
120. #ChrootDirectory none
     
121. #VersionAddendum none
     
122. 
     
123. # no default banner path
     
124. #Banner none
     
125. 
     
126. # override default of no subsystems
     
127. Subsystem       sftp    /usr/local/libexec/sftp-server
     
128. 
     
129. # Example of overriding settings on a per-user basis
     
130. #Match User anoncvs
     
131. #       X11Forwarding no
     
132. #       AllowTcpForwarding no
     
133. #       PermitTTY no
     
134. #       ForceCommand cvs server
     
135. [root@MOON ~]#

复制代码

q1208c

把 sshd_config 中的 UsePAM no 改成 UsePAM yes 就可以了.

dr12456

回复 2# q1208c

刚测试了，不行呢。

1. [root@MOON ~]# ulimit -n
   
2. 1024
   
3. [root@MOON ~]# service sshd restart
   
4. starting /usr/local/openssh-6.6p1/sbin/sshd... \c
   
5. /usr/local/openssh-6.6p1/etc/sshd_config line 97: Unsupported option UsePAM
   
6. done.
   
7. [root@MOON ~]# ssh 192.168.180.129
   
8. no such identity: /root/.ssh/kdump_id_rsa: No such file or directory
   
9. root@192.168.180.129's password:
   
10. Last login: Fri Aug 29 11:11:11 2014 from 192.168.180.129
    
11. [root@MOON ~]# ulimit -n
    
12. 1024
    
13. [root@MOON ~]# grep UsePAM /usr/local/openssh-6.6p1/etc/sshd_config
    
14. UsePAM yes
    
15. [root@MOON ~]#

复制代码

q1208c

回复 3# dr12456

1. /usr/local/openssh-6.6p1/etc/sshd_config line 97: Unsupported option UsePAM

复制代码

这行提示, 说明它不支持 PAM, Sorry.
   

dr12456

上面那个问题解决了。要在./configure时候加选项 with-pam=enable
如果是现在的6.8就不存在这个问题。