Setting the max open files value

blowtorch · April 11, 2008, 7:12am

I'm trying to set the open files value to 4000 on a SLES 9 system.

Current values:

ulimit -n
1024

I can set it using this:

ulimit -n 4000
ulimit -n
4000

But this obviously sets it only for the shell session where I run the command to set it. I want to set this to 4000 for all time.

What I've tried so far:

Extract from /etc/security/limits.conf:

*       hard    nofile  4000
*       soft    nofile  4000

In the sshd and login files in /etc/pam.d,

grep pam_limits.so login sshd
login:session  required       pam_limits.so
sshd:session  required       pam_limits.so

What am I missing here? I even tried a reboot (I don't know if it was required, but the server isn't live, so I can experiment a bit :P)

reborg · April 11, 2008, 1:01pm

That looks like everything to me.

You don't have any "sufficient" modules earlier in the list in those pam configuration files by any chance?

I don't have a SLES server handy, but on SuSE I have exactly that configuration and it is working correctly.

/etc/security/limits:

#@student        -       maxlogins       4
*	soft	nofile	64000	
*	hard	nofile	64000
# End of file

/etc/pam.d/sshd:

auth     required       pam_unix2.so	# set_secrpc
auth     required       pam_nologin.so
auth     required       pam_env.so
account  required       pam_unix2.so
account  required	pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so	use_first_pass use_authtok
session  required       pam_unix2.so	none # trace or debug
session  required       pam_limits.so

Result:

# ulimit -n 
64000

A reboot is not needed, just a new login session when you change this.

blowtorch · April 13, 2008, 9:39pm

Thanks for checking reborg. I do have an extra line in the /etc/pam.d/sshd file "auth optional pam_lockout.so minuid=100". I doubt that it has anything to do with the limits.conf file though.

An update...

I found that connecting by telnet sets the value to 4000 as set in /etc/security/limits.conf, but using ssh still keeps the old (default) value of 1024. A colleague suggested that this has something to do with the UsePrivilegeSeparation directive in sshd_config.

However this directive was originally not present in my sshd_config file (I don't know the default value), and I tried setting it to both yes and no (restarting sshd each time, ofcourse), but it made no difference.

Again, if anyone has any further suggestions, it would help.

Reborg, if you could tell me what the UsePrivilegeSeparation is set to on your SuSE box, it would help too.

blowtorch · April 14, 2008, 3:11am

Fixed the problem! A close look at the sshd_config file showed that Use_PAM wasn't set at all. Set that to yes. Also set ChallengeResponseAuthentication to no.

UsePAM yes
ChallengeResponseAuthentication no

After this a restart of sshd is all that it takes to fix it.