No limits.conf or file in limits.d/*.conf has nofile defined…
When I su - username, ulimit -Sa and -Ha both show the correct soft/hard limit for nofile.
But when I ssh into the box as username, the -Sa/-Ha no longer reflect the correct soft/hard limit for nofile setting. Goes back to 1024 and 524288.
I did a strace on the ulimit call via ssh call.
RedHat 9 shows this, which correctly reflects the 65536…
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=641024, rlim_max=641024}) = 0
But Rocky 9 shows this, which reflects the 1024…
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=512*1024}) = 0
I’ve compared the sshd_config, pam.d configs between the two and no differences that would explain the soft limit.
I know I can use systemd.conf to set LIMITNoFILE but only want to set for 1 user, not all users.
Any idea what is going wrong? What config file to check??
Thank you.
I just tried this on my system, and I cannot replicate the problem:
ssh ian@rocky9
Last login: Mon Aug 26 19:53:10 2024 from 10.10.11.111
ian@rocky9:~$ ulimit -n
1024
root@rocky9:~# cat /etc/security/limits.d/99-mylimits.conf
ian - nofile 65536
ssh ian@rocky9
Last login: Thu Aug 29 15:27:58 2024 from 10.10.11.111
ian@rocky9:~$ ulimit -n
65536
ssh rocky9
Last login: Thu Aug 29 15:27:41 2024 from 10.10.11.111
root@rocky9:~# ulimit -n
1024
root@rocky9:~# su ian
ian@rocky9:/root$ ulimit -n
65536
My first login shows before I created the limits config, so it showed 1024. I then created the file and logged in again, and it works. I also used su and it also works. So not entirely sure what other configuration on your system is causing it to fail, but it must be reading a setting from somewhere.
Yes, that’s what I’m expecting to happen, but doesn’t happen in my case.
When I do the ssh user@rocky9 after setting up the file, it doesn’t show 65536.
Is there maybe some ssh or sshd or pam.d config settings that could be interfering with that?
By default, no there shouldn’t be. What other changes have been made to your installation? Any security profiles been applied to the machine during installation such as CIS/STIG? Was this a clean installation or upgraded from CentOS previously?
If not due to security profiles, then it would some changes have been made somewhere. Unfortunately I have no idea what without actually googling to see what it might be. Usually a basic installation without security profiles, and without applying any other custom configuration it would just simply work.
Perhaps someone else frequenting the forum might have ideas about it and will join in the discussion shortly.
I am using a Rocky9 image my company has created for GCP.
A coworker is trying to get a new image created from the same base rocky9 image the current image was created from, to see if there are some customizations made after the base image that are interfering with ulimit working correctly.
This seems to be caused by not using UsePAM yes in sshd_config.
I saw there was UsePAM yes in sshd_config.d/50-redhat.conf on RHE9 but the include for sshd_config.d was commented out, so it didn’t include it.
Once I added UsePAM yes to sshd_config main file, and restarted sshd, the ulimits were correctly applied to the username I set up.