SSH Remote ulimit does not work

SSH Remote ulimit does not work

Problem description

The contents of the operating system/etc/security/limits.conf file are as follows:

* soft memlock unlimited

* hard memlock unlimited

Use the remote connection tool MoBa to connect to the server, and use ulimit - a to view ulimit value, which is consistent with /etc/security/limits. Conf file configuration.

When using SSH command line remote connection, use ulimit - a to view ulimit value, which is the default value, which is inconsistent with /etc/security/limits. Conf file configuration.

When the operation and maintenance program starts the system remotely, it uses the SSH connection to execute in the past, and the ulimit value in the SSH connection does not take effect. As a result, the system cannot use RDMA because the default configuration of memlock is too small.


After a series of investigation, we found that the SSH version of the customer environment (openssh)_ 4p1) and the default SSH version of the operating system (openssh)_ 7.4p1). It is suspected that the client’s recompiled version will cause the limit value of remote SSH login not to take effect
at the same time/etc/SSH/sshd_ The usepam value of the config file is No. when this item is configured to yes, restart the sshd server and view the system log. The error is as follows:

It is suspected that upgrading and compiling SSH to add – with PAM (this module is not compiled by default) will cause this problem.


It is recommended that customers recompile the openssh version with the – with PAM parameter. Problem solving after customer operation.


The – with PAM parameter is required for the subsequent upgrade and compilation of openssh.


Introduction of PAM module

Linux PAM (i.e. Linux pluggable authentication module) is a set of shared libraries, which enables local system administrators to choose the authentication mode of programs at will. In other words, you can change the authentication mechanism without recompiling an application with PAM function. In this way, even if you upgrade the local authentication mechanism, you don’t need to modify the program.

PAM uses the configuration file under/etc/pam.d/ to manage the authentication mode of the program. The application program calls the corresponding configuration file to call the local authentication module. The module is placed under/lib/security to load the dynamic library. For example, when we use the Su command, the system will prompt you to enter the password of the root user. This is what the Su command realizes by calling the PAM module.

SSH login will also refer to the modification module, and the configuration file is/etc/pam.d/sshd

auth       required
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional prepare
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    required
session    optional force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional prepare

The session section will include the password auth configuration, and the/etc/pam.d/password-auth-ac file is as follows:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        required delay=2000000
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        required
account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     required
password    requisite try_first_pass local_users_only retry=3 authtok_type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    required
session     optional revoke
session     required
-session     optional
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

PAM_ is the so module that will be called when creating an SSH connection, that is, the core so that the/etc/security/limits.conf file takes effect.

Reference documents

Read More: