max_connections in ssh

Sir's, the problem is i have script and 1 user in different 30 servers that ssh to our main server at the same time. Then after that may account automatically locked. I dont know what is the reason, is it the max connection of 1 user using ssh.

Pls help. How to fix this.

I am not sure I follow exactly:

You have a script that ssh's to 30 other servers?
You have a script that ssh's from 30 other machines?

Your account is automatically 'locked'? What does this mean exactly, its not a normal error message someone is going to likely see for this type of activity.

From what I recall about programs like dssh (distributed secure shell, where you 'dssh web' and it will make a ssh connection to all your web family hosts, then if you type 'apachectl restart' it will issue the command on all the hosts and give you output / logging with a prefix of the host name) is that they handle this type of thing quite easily. I would look to the faq's of the dssh like applications, there are a few good ones out there.

If you gave us the os your using and more detail on this 'error' it would be helpful. My guess is that your hitting a ulimit or activating a ids/snort rule that some administrator that is ahead of you on this mischief.

Amen to what HPAVC said: troubleshooting systems one never has seen would be a lot easier if at least the problems arising would be described concisely.

A possible problem could be the "maxlogin" value of AIX. It limits the number of simultaneous non-root connections. The value can be found in /etc/security/login.defs, look for a line that looks "maxlogins = <nr>" in the "usw:" stanza.

You can change the value by issuing:

chlicense -I -u <number>

I hope this helps.

bakunin

Thanks for insights sir's..i will rephrase my statement, i have 1 main server, and 30 sub server. In that 30 sub server i have 1 script each that ssh to my main server w/ the same USER and Password that they were using. After that it will locked that user. so my question why SSH locked my account or the system locked my account. How can i adjust max_user_connection? Or is that the problem? i dont know why it locked the account. Every morning i always unlocked the account. Please help

No clue without details on the OS and the exact error we are just guessing, I mean the tool that you "unlock" the account with should provide the exact answer it its man page "also see: ..." area on how to modify.

Also odd that it occurs after all 30 are done, rather than on the 24th login and then the last 6 fail or what not.

something like that, the scripts were meant for backup, they were some files that have been backup they are some not. Because lit was locked after some servers ssh to my main server. And every morning I reset the account. But the bad thing is they were files were'nt backup because the account has been locked.

I guess there's no problem w/ my aix 5.2, it only happens now, where a lot of servers using only 1 account.

Well open up the license and or auth logs and ...

$ ssh mainserver
$ ssh mainserver
...
$ ssh mainserver
$ ssh mainserver

in a loop in another tty and see exactly what is locking that account. It maybe be enough to just add it to a privileged group wheel, adm, backup or whatever the lockout does.

The error should exactly tell you what you need to start looking for man page wise.

no error occured. But i checkd the loginfailed its ssh user...
a lot of it. What i want to know is, how did it happened. And do we have a command to issue for multiple max_user_connection. :frowning:

invinzin21, you seem not to understand what HPAVC is trying to tell you: provide some info! To tell us "the account locks up" is fine, but how exactly is it locked up? Provide some output of "lsuser <ssh_user_account>", tell us what the "max_logins" line in /etc/security/login.defs is looking like (as i told you already), etc. Maybe its as simple as the ssh command giving the wrong password. AIX locks accounts if a maximum of failed login attempts is exeeded and they have to be unlocked by the administrator then - but that (as all the other things told to you) ARE JUST GUESSES and this is what we are left to as long as you do not show us some output of your actual system.

If you have a broken bycycle and want the mechanic to fix it you BRING IT THERE TO SHOW - you don't just call and tell the guy "yeah, well, it somehow doesn't go anymore or so".

HPAVC also asked about OS version and release level - still unanswered.

Sticking with the example above: if the poor guy on the phone is trying to find whats wrong with your bike and asks you which model it is: do you tell him "a yellow one" or do you think manufacturer, model number, year of purchase and similar information would be more useful to him?

bakunin

sorry guys, u guess i already answered mty os version. aix 5.2 as what i stated above. anyway i figure it out.

# cat sshd_config |grep Max
MaxStartups 50

I increase it to 50 the default is 10. Thanks a lot guys..Sorry to bother..
For your clarification, maybe you have some idea too, o how to solve, well above is my solution. I edit the sshd_config

# lsuser sbi
sbi id=224 pgrp=smartbro groups=smartbro,staff home=/smartbro shell=/usr/bin/ksh gecos=smartbro account login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=20 pwdwarntime=0 account_locked=false minage=2 maxage=13 minalpha=4 minother=0 mindiff=0 maxrepeats=8 minlen=8 histexpire=0 histsize=3 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=-1 rss=-1 nofiles=-1 fsize_hard=-1 core_hard=-1 time_last_login=1203000499 time_last_unsuccessful_login=1202972499 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=10.170.1.243 host_last_unsuccessful_login=10.170.16.61 unsuccessful_login_count=0 roles=

This "MaxStartups 10" sshd locks you out? MaxStartups referrers to unauthenticated connections does it not?

Either way good deal that it is now fixed and you can reverse dssh

im nt verysure sir, if that maxstartsup locks me. But when i adjust it to 50 my backups was done completely and my was not lock anymore. I really dont what locks me out but for the important is i can backup everyday :slight_smile: