| View previous topic :: View next topic |
| Author |
Message |
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 928
Location: online
|
 Posted: Wed Nov 30, 2011 2:37 pm Post subject: ssh setuid: Resource temporarily unavailable [SOLVED] |
 |
|
It's been a while since i am having this problem with ssh and the only closest topic/help out there found was this topic here and this other one and it was not that helpful.
I checked /etc/security/limits.conf as well [b]/etc/pam.d/system-auth[/b as and they are the same as another computer which does not suffer from the same ssh login problem.
It might be related to pam but i am not sure since i cannot remember what may have changed.
Any ideas ?
| Code: | | net-misc/openssh-5.8_p1-r1 USE="X -X509 -hpn -kerberos -ldap -libedit pam (-selinux) -skey -static tcpd" |
I recompiled without pam and the problem still remained.
I also have the same problem but with telnet. It also fails to login in a similar way
| Code: | Nov 30 09:34:07 sshd[23457]: Accepted password for mike from <ip>port 51889 ssh2
Nov 30 09:34:07 login[23459]: pam_unix(login:session): session opened for user <name> by (uid=0)
Nov 30 09:34:08 login[23467]: bad user ID `1001' for user `<name>': Resource temporarily unavailable
Nov 30 09:34:08 login[23459]: pam_unix(login:session): session closed for user <name>
Nov 30 09:34:08 sshd[23457]: Received disconnect from <ip>: 11: disconnected by user |
Any suggestions ?
_________________
443640, Questioning, Unsolved, Configs, BinHost
Last edited by HeXiLeD on Fri Apr 20, 2012 5:20 am; edited 1 time in total |
|
| Back to top |
|
 |
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 928
Location: online
|
| Posted: Mon Feb 20, 2012 4:50 am Post subject: |
|
|
I have almost been able to solve the problem.
I unmerged openssh and removed all its files from the system.
Then emerged again.
| Code: | | net-misc/openssh-5.8_p1-r1 USE="X -X509 hpn -kerberos -ldap -libedit -pam (-selinux) -skey -static tcpd |
Did some changes on /dev/pty
| Code: | rm -rf /dev/ptmx
mknod /dev/ptmx c 5 2
chmod 666 /dev/ptmx
umount /dev/pts
rm -rf /dev/pts
mkdir /dev/pts
mount /dev/pts |
Recreated the confs:
| Code: | # http://www.manpagez.com/man/5/sshd_config/
# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
ListenAddress 192.168.1.54
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#Allow users
#AllowUsers <user1> <user2> <user3> or <user@ip>
AllowUsers user1
#AllowGroups powerusers
#AllowUsers user1@ip user2@ip user3@ip user4@ip
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 3
MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication no
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#erberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# UsePAM no
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment yes
#Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10
PermitTunnel yes
#ChrootDirectory none
# no default banner path
Banner /etc/ssh/banner
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
# allow the use of the none cipher
#NoneEnabled no
# disable hpn performance boosts.
#HPNDisabled no
# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server |
So far everything works fine under certain conditions. I am able to login remotly and localy as long as i dont have X started for the user i will be using to login.
In other words if i start start as user1 i cannot login on sshd with root, user2, peter, john, etc but i cannot login as user1.
In order to be able to login with any user i must not start X.
This is the result i get when trying to login on sshd with a user that as X locally running.
| Code: | $ ssh user1@192.168.1.54 -v
OpenSSH_5.8p1-hpn13v10, OpenSSL 1.0.0g 18 Jan 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.1.54 [192.168.1.54] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1-hpn13v10
debug1: match: OpenSSH_5.8p1-hpn13v10 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1-hpn13v10
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA -------------------------------------------------------
debug1: Host '192.168.1.54' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,keyboard-interactive,hostbased
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: password,keyboard-interactive,hostbased
debug1: Next authentication method: password
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.54 ([192.168.1.54] :22).
debug1: Final hpn_buffer_size = 131072
debug1: HPN Disabled: 0, HPN Buffer Size: 131072
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
shell request failed on channel 0
|
shell request failed on channel 0
I am thinking that it might have to do with some sshd_config setings but cannot figure out which ones. Any ideas?
_________________
443640, Questioning, Unsolved, Configs, BinHost |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 353
|
| Posted: Mon Feb 20, 2012 5:18 am Post subject: |
|
|
| THe only reason I can think of that setuid() would fail with that error this: RLIMIT_NPROC and setuid() |
|
| Back to top |
|
|
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 928
Location: online
|
| Posted: Mon Feb 20, 2012 6:04 am Post subject: |
|
|
I believe i may have solved the setuid issue. Howver the shell request failed on channel 0 is still ongoing. Not sure if they are related but i get the same problem with telnet.
I can telnet without any problems to the selected user as long as the user does not run X. If the user runs X then the same problem happens as described above.
Along with this if i telnet or ssh to the box using a user login that does not uses X; as i said before everything works but once i connect using telnet or ssh and then start X for the logged in user (locally) and try to run any application through ssh or telnet; such as htop, or mc i get the following error:
| Code: | | -bash: fork: Resource temporarily unavailable. |
Which takes me to this forgotten post of mine
I have also deleted all user .X* as well as .bashrc
_________________
443640, Questioning, Unsolved, Configs, BinHost |
|
| Back to top |
|
|
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 928
Location: online
|
| Posted: Mon Feb 20, 2012 6:39 am Post subject: |
|
|
A just found interesting details. This may not be related to X; at least directly.
I use fluxbox and have a few applications starting once i startx.
I just found out that -bash: fork: Resource temporarily unavailable. only happens if i have some applications running on X like following:
firefox
seamonkey
thunderbird
libreoffice
amule
skype
nicotine+
audacious
However for these i get no trouble:
vlc
dvdrip
dillo
opera
links -g
abiword
audacity
nero
celestia
stellarium
pidgin
amsn
| Code: | user1@box ~ $ ulimit
unlimited
user1@box ~ $ ulimit -u
31647 |
| Code: | # cat cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file |
_________________
443640, Questioning, Unsolved, Configs, BinHost |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 353
|
| Posted: Tue Feb 21, 2012 7:10 am Post subject: |
|
|
| If fork() is failing with EAGAIN and its not due to the user process limit then its hitting some other resource limit - either insufficient RAM (but unless overcommit is disabled the OOM killer would have triggered well before this) or something other limit, more than /proc/sys/kernel/pid_max processes, some cgroup limit, etc |
|
| Back to top |
|
|
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 928
Location: online
|
| Posted: Fri Feb 24, 2012 8:35 pm Post subject: |
|
|
From 4 GB of RAM when the box boots it only uses 400mb or less. after the applications are running i still have a lot of free RAM.
| Code: | $ free
total used free shared buffers cached
Mem: 4051568 3444928 606640 0 146408 1312108
-/+ buffers/cache: 1986412 2065156
Swap: 2048280 28948 2019332 |
I tried to look for group/user kernel limits but did not find something that looked relevant. Maybe something is missing somewhere.
Current kernel configuration:
Linux/x86_64 3.2.2 Kernel Configuration
_________________
443640, Questioning, Unsolved, Configs, BinHost |
|
| Back to top |
|
|
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 928
Location: online
|
| Posted: Fri Apr 20, 2012 5:20 am Post subject: |
|
|
Solved now with the following:
| Code: | OpenSSH_5.9p1-hpn13v11, OpenSSL 1.0.0h
net-misc/openssh-5.9_p1-r4 USE="X -X509 hpn -kerberos -ldap -libedit -pam (-selinux) -skey -static tcpd" |
And using the following configuration options:
| Code: | # $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
###############################################################################
# Allow specific users to login
#AllowUsers <user1> <user2> <user3> or <user@ip>
# AllowGroups powerusers
# AllowUsers user1@ip user2@ip user3@ip user4@ip
AllowUsers user1 user2@<ip>
#AllowGroups powerusers
#AllowUsers user1@ip user2@ip user3@ip user4@ip
###############################################################################
Port 22
AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
###############################################################################
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024
###############################################################################
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
###############################################################################
# Authentication:
LoginGraceTime 1m
PermitRootLogin yes # Since it is lan restricted by ip
StrictModes yes
MaxAuthTries 3
MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication no #was yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
###############################################################################
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd no
#KerberosTicketCleanup no
#KerberosGetAFSToken no
###############################################################################
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck no
###############################################################################
# Pam Option
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
###############################################################################
ChrootDirectory none
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10
PermitTunnel yes
###############################################################################
# Default banner path
Banner /etc/ssh/banner
###############################################################################
# override default of no subsystems
# http://en.gentoo-wiki.com/wiki/SFTP_Server
Subsystem sftp /usr/lib64/misc/sftp-server
###############################################################################
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
# allow the use of the none cipher
#NoneEnabled no
# disable hpn performance boosts.
HPNDisabled no
# buffer size for hpn to non-hpn connections
HPNBufferSize 2048
###############################################################################
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server |
Topic is SOLVED
_________________
443640, Questioning, Unsolved, Configs, BinHost |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
