X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C795FC.8B5C8E6D@onstor-exch02.onstor.net>; Mon, 14 May 2007 00:50:30 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C795FC.8B5C8E6D"
References: <BB375AF679D4A34E9CA8DFA650E2B04E028FB43E@onstor-exch02.onstor.net> <BB375AF679D4A34E9CA8DFA650E2B04E03B6E1CC@onstor-exch02.onstor.net>
Content-class: urn:content-classes:message
Subject: RE: ssh configuration (Defect 18513)
Date: Mon, 14 May 2007 00:47:29 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E028FB442@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: ssh configuration (Defect 18513)
Thread-Index: AceV2BIgLc8ojXfxQBSg1eKJfl/8lAAEnalAAARlrIc=
From: "Mike Lee" <mike.lee@onstor.com>
To: "Brian DeForest" <brian.deforest@onstor.com>,
	"Andy Sharp" <andy.sharp@onstor.com>,
	"Larry Scheer" <larry.scheer@onstor.com>
Cc: "Rendell Fong" <rendell.fong@onstor.com>,
	"Sandrine Boulanger" <sandrine.boulanger@onstor.com>,
	"Tim Gardner" <tim.gardner@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C795FC.8B5C8E6D
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Brian:
=20
Good point.
I also tried to kick off a shell script on my filer to spawn tar =
processes in the background.
There was also a decreasinh trend in the amounf of free memory reported =
by "vmstat -m" as the number of tar processes started accumulating, but =
it is not as sharp as that seen in the accumulation of ssh/kill =
processes.
=20
Thanks.
=20
-Mike

________________________________

From: Brian DeForest
Sent: Sun 5/13/2007 10:45 PM
To: Mike Lee; Andy Sharp; Larry Scheer
Cc: Rendell Fong; Sandrine Boulanger; Tim Gardner
Subject: RE: ssh configuration (Defect 18513)



Before modifying SSH we should determine if it's the number of SSH =
sessions, or just the number of processes?   We might also have to limit =
the number of nfxsh sessions.

-----Original Message-----
From: Mike Lee
Sent: Sunday, May 13, 2007 8:29 PM
To: Andy Sharp; Larry Scheer
Cc: Brian DeForest; Rendell Fong; Sandrine Boulanger; Tim Gardner
Subject: ssh configuration (Defect 18513)

Gentlemen:

Concerning that BSD panic due to kernel memory exhaustion, Rendell =
figured out that it was due to too many concurrent ssh connections to =
our filer, where each connection ate up 40K of memory.=20

As such, I think we need to configure our ssh daemon to limit the =
maximum number of concurrent connections.  I searched a bit online and =
the only thing I found was the MaxStartups setting, but it is for =
"concurrent unauthenticated connections".=20

Do you know of a way to limit number of connections, authenticated or =
unauthenticated?

Thanks!

-Mike


MaxStartups
Specifies the maximum number of concurrent unauthenticated connections =
to the sshd daemon. Additional connections will be dropped until =
authentication succeeds or the LoginGraceTime expires for a connection. =
The default is 10.
Alternatively, random early drop can be enabled by specifying the three =
colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will =
refuse connection attempts with a probability of ``rate/100'' (30%) if =
there are currently ``start'' (10) unauthenticated connections. The =
probability increases linearly and all connection attempts are refused =
if the number of unauthenticated connections reaches ``full'' (60).



------_=_NextPart_001_01C795FC.8B5C8E6D
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD><TITLE>RE: ssh configuration (Defect 18513)</TITLE>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.2800.1589" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText44826 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2>Brian:</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Good point.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>I also tried to kick off a =
shell script on my filer to spawn tar processes in the =
background.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>There was also a decreasinh =
trend in the amounf of free memory reported by "vmstat -m" as the number =
of tar processes started accumulating, but it is not as sharp as that =
seen in the accumulation of ssh/kill processes.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Thanks.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>-Mike</FONT></DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> Brian DeForest<BR><B>Sent:</B> =
Sun 5/13/2007 10:45 PM<BR><B>To:</B> Mike Lee; Andy Sharp; Larry =
Scheer<BR><B>Cc:</B> Rendell Fong; Sandrine Boulanger; Tim =
Gardner<BR><B>Subject:</B> RE: ssh configuration (Defect =
18513)<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<P><FONT size=3D2>Before modifying SSH we should determine if it's the =
number of SSH sessions, or just the number of processes?&nbsp;&nbsp; We =
might also have to limit the number of nfxsh =
sessions.<BR><BR>-----Original Message-----<BR>From: Mike Lee<BR>Sent: =
Sunday, May 13, 2007 8:29 PM<BR>To: Andy Sharp; Larry Scheer<BR>Cc: =
Brian DeForest; Rendell Fong; Sandrine Boulanger; Tim =
Gardner<BR>Subject: ssh configuration (Defect =
18513)<BR><BR>Gentlemen:<BR><BR>Concerning that BSD panic due to kernel =
memory exhaustion, Rendell figured out that it was due to too many =
concurrent ssh connections to our filer, where each connection ate up =
40K of memory.&nbsp;<BR><BR>As such, I think we need to configure our =
ssh daemon to limit the maximum number of concurrent connections.&nbsp; =
I searched a bit online and the only thing I found was the MaxStartups =
setting, but it is for "concurrent unauthenticated =
connections".&nbsp;<BR><BR>Do you know of a way to limit number of =
connections, authenticated or =
unauthenticated?<BR><BR>Thanks!<BR><BR>-Mike<BR><BR><BR>MaxStartups<BR>Sp=
ecifies the maximum number of concurrent unauthenticated connections to =
the sshd daemon. Additional connections will be dropped until =
authentication succeeds or the LoginGraceTime expires for a connection. =
The default is 10.<BR>Alternatively, random early drop can be enabled by =
specifying the three colon separated values ``start:rate:full'' (e.g., =
"10:30:60"). sshd will refuse connection attempts with a probability of =
``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated =
connections. The probability increases linearly and all connection =
attempts are refused if the number of unauthenticated connections =
reaches ``full'' (60).<BR></FONT></P></DIV></BODY></HTML>
------_=_NextPart_001_01C795FC.8B5C8E6D--
