[1457] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: ssh and limits on resources

daemon@ATHENA.MIT.EDU (Jon Lewis)
Sun Feb 23 06:54:39 1997

Date: Sat, 22 Feb 1997 11:50:52 -0500 (EST)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Trevor Johnson <trevor@blues.jpj.NET>
cc: ssh-bugs@cs.hut.fi, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.95.970222001231.80A-100000@topside>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

On Sat, 22 Feb 1997, Trevor Johnson wrote:

> While logging in via ssh (versions 1.2.17 and 1.2.12) under Linux 2.0, I
> found that limits weren't being set (as shown by the output of "limit"
> (tcsh) or "ulimit -a" (bash).  Since /etc/profile, /etc/csh.cshrc, and
> /etc/limits were ignored, I made /etc/sshrc and put "ulimit" statements in
> it.  However, I was unable to limit the number of processes this way,
> leaving the system vulnerable to fork bombs.  Installing lshell (available
> at http://sunsite.unc.edu/pub/Linux/system/admin/login/lshell-2.01.tar.gz)
> corrected the problem.

According to the man page, /etc/sshrc might not be an effective place to
put limits.

       9.     If $HOME/.ssh/rc exists, runs it (with  the  user's
              shell);  else  if  /etc/sshrc exists, runs it (with
              /bin/sh); otherwise runs xauth.  The "rc" files are
              given the X11 authentication protocol and cookie in
              standard input.

This sounds to me like if a user has a $HOME/.ssh/rc, it will be run
instead of /etc/sshrc.  I have not tested this though.

[mod: Moreover, aren't the limits normally a maximum, where you can't 
go above? If as a user you "impose" yourself with a limit, you can
always set it back. I just verified that on my system under ssh, the
limits are the same as when I login normally, but I normally don't use
limits, so I don't know if I have to turn something to make login set
some limits. -- REW]

------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______


home help back first fref pref prev next nref lref last post