Ssh – pam_limits: Operation not permitted for sshd

Debian 8.0, pam 1.1.8-3.1, sshd 1:6.7p1-5.

I'm trying to permanently increase the maximum number of open files.

In /etc/pam.d/ I've got:

/etc/pam.d# grep pam_limits.so *
atd:session    required   pam_limits.so
common-session:session required pam_limits.so
common-session-noninteractive:session required pam_limits.so
cron:session    required   pam_limits.so
login:session    required   pam_limits.so
runuser:session         required        pam_limits.so
sshd:session    required     pam_limits.so
su:session    required   pam_limits.so

In /etc/security/limits.conf:

*       hard    nofile  20000500
*       soft    nofile  20000500

In /etc/ssh/sshd_config:

UsePAM yes

In /etc/sysctl.conf:

fs.file-max = 20000500

I've rebooted the OS and what I'm seeing in /var/log/auth.log is:

sshd[807]: pam_limits(sshd:session): Could not set limit for 'nofile'
to soft=20000500, hard=20000500: Operation not permitted; uid=0,euid=0

Same thing trying to do ulimit -Hn 20000500 as root:

bash: ulimit: open files: cannot modify limit: Operation not permitted

Using trial-and-error, I've found the maximum number I can give ulimit -Hn without failing: 1048576. Why exactly this number and where does it come from?

P.S. When it says "operation not permitted", how do I know who decides? I assume the code within pam_limits.so is trying to set the limits, but who does actually refuse? Is it the PAM system which possibly takes over the whole security system in the OS?

man proc /proc/sys/fs/file-max This file defines a system-wide limit on the number of open files for all processes. (See also setrlimit(2), which can be used by a process to set the per- process limit, RLIMIT_NOFILE, on the number of files it may open.) If you get lots of error messages in the kernel log about running out of file handles (look for "VFS: file-max limit <number> reached"), try increasing this value: echo 100000 > /proc/sys/fs/file-max The kernel constant NR_OPEN imposes an upper limit on the value that may be placed in file-max. If you increase /proc/sys/fs/file-max, be sure to increase /proc/sys/fs/inode-max to 3-4 times the new value of /proc/sys/fs/file-max, or you will run out of inodes. Privileged processes (CAP_SYS_ADMIN) can override the file-max limit.

Best Answer

Is no a recommend, I would like to say, you cannot do that. if you looking this other answer.

can't log in when nofile is set to unlimited in /etc/security/limits.conf

ulimit is a limit for a user, isn't normale set the same number in the global setting, is like a user can use all files in the system.

Best Answer

Related Solutions

Debian – Too many file descriptors on Debian, ulimit -n has no effect

SSH – How to Check SSHD Log

Related Topic