AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20070514004645.41f7aa43@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<larry.scheer@onstor.com>,<mike.lee@onstor.com>,<brian.deforest@onstor.com>,<rendell.fong@onstor.com>,<sandrine.boulanger@onstor.com>,<tim.gardner@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E0A91F0@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Mon, 14 May 2007 00:47:07 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Larry Scheer" <larry.scheer@onstor.com>
Cc: "Mike Lee" <mike.lee@onstor.com>, "Brian DeForest"
 <brian.deforest@onstor.com>, "Rendell Fong" <rendell.fong@onstor.com>,
 "Sandrine Boulanger" <sandrine.boulanger@onstor.com>, "Tim Gardner"
 <tim.gardner@onstor.com>
Subject: Re: ssh configuration (Defect 18513)
Message-ID: <20070514004707.4f2e22da@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E0A91F0@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E028FB43E@onstor-exch02.onstor.net>
	<BB375AF679D4A34E9CA8DFA650E2B04E0A91F0@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Something just doesn't add up here.  40KB per ssh login?  I guarantee
it's a lot more than that.  But Larry's point still persists, even if
it's 10 times that, it doesn't make sense that there are 1000 ssh
sessions going.  Are there?  The amount of memory used by each instance
of nfxsh is going to be in the megabytes per, and that's before you run
any commands.  Even if you add that to the ssh usage, it still sounds
wonky.

Something is amiss or missing with this analysis.

Cheers,

a


On Sun, 13 May 2007 21:36:12 -0700 "Larry Scheer"
<larry.scheer@onstor.com> wrote:

> How many concurrent SSH connections were there?
> At 40Kbytes of memory each session, you would need 6554 sessions
> running to exhaust 256Mbytes of memory. Are you saying the real
> problem is a runaway process spawning SSH connections?
> 
> When do we ever have dozens of SSH processes running running on the
> SSC? I can't imagine hundreds much less thousands of SSH processes.
> What are seeing that I am missing here?
> 
> Larry 
> 
> -----Original Message-----
> From: Mike Lee
> Sent: Sun 5/13/2007 8:29 PM
> To: Andy Sharp; Larry Scheer
> Cc: Brian DeForest; Rendell Fong; Sandrine Boulanger; Tim Gardner
> Subject: ssh configuration (Defect 18513)
>  
> Gentlemen:
> 
> Concerning that BSD panic due to kernel memory exhaustion, Rendell
> figured out that it was due to too many concurrent ssh connections to
> our filer, where each connection ate up 40K of memory.  
> 
> As such, I think we need to configure our ssh daemon to limit the
> maximum number of concurrent connections.  I searched a bit online
> and the only thing I found was the MaxStartups setting, but it is for
> "concurrent unauthenticated connections".  
> 
> Do you know of a way to limit number of connections, authenticated or
> unauthenticated?
> 
> Thanks!
> 
> -Mike
> 
> 
> MaxStartups 
> Specifies the maximum number of concurrent unauthenticated
> connections to the sshd daemon. Additional connections will be
> dropped until authentication succeeds or the LoginGraceTime expires
> for a connection. The default is 10. Alternatively, random early drop
> can be enabled by specifying the three colon separated values
> ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection
> attempts with a probability of ``rate/100'' (30%) if there are
> currently ``start'' (10) unauthenticated connections. The probability
> increases linearly and all connection attempts are refused if the
> number of unauthenticated connections reaches ``full'' (60). 
> 
