HPE Community
Operating System - OpenVMS
1828006 Members
2182 Online
109973 Solutions
New Discussion

Re: SSH MaxJobs

 
SOLVED
Go to solution
Aaron Sakovich
Super Advisor

‎03-01-2005 03:36 AM

‎03-01-2005 03:36 AM

SSH MaxJobs

I disabled telnet on all our systems last night as we've deployed SSH capabilities to all of our systems and users. This morning, 14 users were able to log into one node, after which connections were rejected.

I tracked the %LOGIN-F-USEREXC in the Operator.log back to the MaxJobs setting for TCPIP$SSH. The as-installed value was 10; I bumped it up to 64 in the theory that it should closely match out interactive login limit. Why a MaxJobs of 10 resulted in 14 successful logins is beyond me at this time, but users are now able to log in successfully.

I've searched the docu for info regarding the proper adjustment of this value for the TCPIP$SSH account, but I've not found any reference to it. Does anyone know of any suggestions or references for this specific application? I'm especially curious due to the lack of correspondence between the 14 SSH logins I saw versus the MaxJobs setting of 10 -- it's obviously not a one-for-one mapping.

Oh, btw, TCP/IP Services v5.4, ECO 4.

TIA,
Aaron
0 Kudos
Reply
2 REPLIES 2
John Gillings
Honored Contributor

‎03-01-2005 10:24 AM

‎03-01-2005 10:24 AM

Solution

Re: SSH MaxJobs

Aaron,

I'm surprised you have a non-zero MaxJobs - perhaps that's a site specific default? The OOTB default is 0.

If you want to limit SSH connections, the "expected" way to do it is via the service limits in TCPIP:

$ TCPIP SHOW SERVICE SSH/FULL
$ TCPIP SET SERVICE SSH/LIMIT=n

I'd recommend setting TCPIP$SSH MaxJobs to 0. Let TCPIP control the service limit and the individual user MaxJobs control the users.

I'm guessing that the lack of documentation is it never occurred to anyone that the TCPIP$SSH account would have a non-zero MaxJobs value.

As for the 14/10 discrepancy... remember that it's maxJOBS, not maxPROCESSES. From a quick look it appears that SSH creates some kind of controller process running under TCPIP$SSH, probably to do all the encryption and decryption stuff. I'd guess there's an optimization where multiple incoming sessions can be handled by the same process. Guessing further, maybe it's per host?, per user? So, that would mean MaxJobs=10 would allow up to 10 HOST connections, or 10 USERNAMES connected before a failure. That's just a guess, but I'm sure the explanation will be along those lines.

In any case, if it was thought that MaxJobs was a useful control knob for SSH, it would be documented. It isn't, so don't waste time trying to figure out the details, just don't use it. :-)
A crucible of informative mistakes
Reply
Aaron Sakovich
Super Advisor

‎03-02-2005 01:28 AM

‎03-02-2005 01:28 AM

Re: SSH MaxJobs

I've confirmed the setting of 10 on the Default account, so you nailed it. Your advice is reasonable, so I'll follow it and set MaxJobs to 0. I did notice that the TCPIP service limit was 10,000, way more than adequate for our site.

Thanks for your time,
Aaron
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.