From owner-freebsd-current@FreeBSD.ORG  Thu Nov 20 17:19:27 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1141416A4CE; Thu, 20 Nov 2003 17:19:27 -0800 (PST)
Received: from moof.zeroth.org (moof.zeroth.org [203.117.131.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3E98943FCB; Thu, 20 Nov 2003 17:19:25 -0800 (PST)
	(envelope-from jclark@metaparadigm.com)
Received: from metaparadigm.com (neon.zeroth.org [203.117.131.24])
	(authenticated bits=0)
	by moof.zeroth.org (8.12.9/8.12.9) with ESMTP id hAL1J8nc022160;
	Fri, 21 Nov 2003 09:19:08 +0800 (SGT)
	(envelope-from jclark@metaparadigm.com)
Message-ID: <3FBD6806.2000108@metaparadigm.com>
Date: Fri, 21 Nov 2003 09:19:02 +0800
From: Jamie Clark <jclark@metaparadigm.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.5) Gecko/20031107 Debian/1.5-3
X-Accept-Language: en
MIME-Version: 1.0
To: kientzle@acm.org
References: <0C8643E8-1B1A-11D8-B160-000A959E7C72@anonymizer.com>
	<3FBD5072.7030603@acm.org>
In-Reply-To: <3FBD5072.7030603@acm.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-hackers@freebsd.org
cc: freebsd-current@freebsd.org
cc: Len Sassaman <rabbi@anonymizer.com>
Subject: Re: Help request: problems with a 5.1 server and large numbers of
 ssh	users.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2003 01:19:27 -0000

Tim Kientzle wrote:

> Try an 'fstat' when connections start getting dropped.
> I wonder if something (PAM module, maybe?) is opening a
> file on each connection and you're running out of per-process
> file descriptors.

A similar thing happened here - although it wasn't sshd at fault. Len 
mentioned using ldap authentication.

nss_ldap and/or pam_ldap are use TCP connections to connect to the LDAP 
server. In my case there was another big consumer of persistent ldap 
connections that caused slapd to reach its default 1024 descriptor limit 
(which required a compile-time adjustment). Found this by tracing the 
master slapd process.

-Jamie