From owner-freebsd-hackers@FreeBSD.ORG Thu Nov 20 07:58:26 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 399AD16A4CE; Thu, 20 Nov 2003 07:58:26 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BD1F43FE5; Thu, 20 Nov 2003 07:58:25 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9p2/8.12.9) with ESMTP id hAKFu8Mg020618; Thu, 20 Nov 2003 10:56:08 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)hAKFu8fj020615; Thu, 20 Nov 2003 10:56:08 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Thu, 20 Nov 2003 10:56:08 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Len Sassaman In-Reply-To: <0C8643E8-1B1A-11D8-B160-000A959E7C72@anonymizer.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-hackers@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: Help request: problems with a 5.1 server and large numbers of ssh users. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2003 15:58:26 -0000 On Wed, 19 Nov 2003, Len Sassaman wrote: > It is my intuition from this behavior that the sshd master process > listening for connections is unable to spawn a new process to complete > the authentication step, and thus the connection is being dropped. There > is no information of use in dmesg, nor in the system logs. (I've cranked > up LogLevel to DEBUG3 in sshd_config). > > I have a RedHat Linux server running the 2.4.18-3smp kernel on a dual > Athlon MP 1800+ and 2048MB RAM that is known to handle 1000 users > without issue -- so I have to believe the FreeBSD box, though not as > beefy hardware-wise, should be able to do better than a few hundred > users. I believe this to be some sort of resource limit issue, but I > have addressed everything I could think of. Hmm. Well, it certainly sounds like a resource limit to me, especially if it's a nice round number like "150" or "300". However, I'm also having a bit of trouble seeing, off the top of my head, which limit it might be. It sounds like you've got the ones I would think of. A quick skim of sshd.c suggests that it is pretty careful to document various failure modes in debugging output. There are one or two failures where it does not log, and they include the call to pipe() in the server loop -- if that fails, it bails without an error, which is a little surprising. Could you post server debug output for the first connection to the server that fails? This would let us "see how far it got"... In particular, whether it did spawn a child process, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories