# ssh setuid: Resource temporarily unavailable [SOLVED]

## HeXiLeD

It's been a while since i am having this problem with ssh and the only closest topic/help out there found was this topic here and this other one and it was not that helpful.

I checked  /etc/security/limits.conf as well [b]/etc/pam.d/system-auth[/b as and they are the same as another computer which does not suffer from the same ssh login problem.

It might be related to pam but i am not sure since i cannot remember what may have changed.

Any ideas ?

```
net-misc/openssh-5.8_p1-r1  USE="X -X509 -hpn -kerberos -ldap -libedit pam (-selinux) -skey -static tcpd" 
```

I recompiled without pam and the problem still remained.

I also have the same problem but with telnet. It also fails to login in a similar way

```
Nov 30 09:34:07  sshd[23457]: Accepted password for mike from <ip>port 51889 ssh2

Nov 30 09:34:07  login[23459]: pam_unix(login:session): session opened for user <name> by (uid=0)

Nov 30 09:34:08  login[23467]: bad user ID `1001' for user `<name>': Resource temporarily unavailable

Nov 30 09:34:08  login[23459]: pam_unix(login:session): session closed for user <name>

Nov 30 09:34:08  sshd[23457]: Received disconnect from <ip>: 11: disconnected by user
```

Any suggestions ?

----------

## HeXiLeD

I have almost been able to solve the problem.

I unmerged openssh and removed all its files from the system.

Then emerged again.

```
net-misc/openssh-5.8_p1-r1  USE="X -X509 hpn -kerberos -ldap -libedit -pam (-selinux) -skey -static tcpd
```

Did some changes on /dev/pty

```
rm -rf /dev/ptmx

mknod /dev/ptmx c 5 2

chmod 666 /dev/ptmx

umount /dev/pts

rm -rf /dev/pts

mkdir /dev/pts

mount /dev/pts
```

Recreated the confs:

```
# http://www.manpagez.com/man/5/sshd_config/

#   $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 22

ListenAddress 192.168.1.54

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

#Allow users

#AllowUsers <user1> <user2> <user3> or <user@ip>

AllowUsers user1

#AllowGroups powerusers 

#AllowUsers user1@ip user2@ip user3@ip user4@ip

# The default requires explicit activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel INFO

# Authentication:

LoginGraceTime 1m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 3

MaxSessions 10

RSAAuthentication yes

PubkeyAuthentication no

#AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication yes

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#erberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

# UsePAM no

AllowAgentForwarding no

AllowTcpForwarding no

GatewayPorts no

X11Forwarding no

X11DisplayOffset 10

X11UseLocalhost no

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment yes

#Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel yes

#ChrootDirectory none

# no default banner path

Banner /etc/ssh/banner

# override default of no subsystems

Subsystem   sftp   /usr/lib64/misc/sftp-server

# the following are HPN related configuration options

# tcp receive buffer polling. disable in non autotuning kernels

#TcpRcvBufPoll yes

 

# allow the use of the none cipher

#NoneEnabled no

# disable hpn performance boosts. 

#HPNDisabled no

# buffer size for hpn to non-hpn connections

#HPNBufferSize 2048

# Example of overriding settings on a per-user basis

#Match User anoncvs

#   X11Forwarding no

#   AllowTcpForwarding no

#   ForceCommand cvs server
```

So far everything works fine under certain conditions. I am able to login remotly and localy as long as i dont have X started for the user i will be using to login.

In other words if i start start as user1 i cannot login on sshd with root, user2, peter, john, etc but i cannot login as user1.

In order to be able to login with any user i must not start X.

This is the result i get when trying to login on sshd with a user that as X locally running.

```
$ ssh user1@192.168.1.54 -v

OpenSSH_5.8p1-hpn13v10, OpenSSL 1.0.0g 18 Jan 2012

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to  192.168.1.54 [192.168.1.54] port 22.

debug1: Connection established.

debug1: identity file /home/user1/.ssh/id_rsa type -1

debug1: identity file /home/user1/.ssh/id_rsa-cert type -1

debug1: identity file /home/user1/.ssh/id_dsa type -1

debug1: identity file /home/user1/.ssh/id_dsa-cert type -1

debug1: identity file /home/user1/.ssh/id_ecdsa type -1

debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1-hpn13v10

debug1: match: OpenSSH_5.8p1-hpn13v10 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.8p1-hpn13v10

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 0

debug1: REQUESTED ENC.NAME is 'aes128-ctr'

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: REQUESTED ENC.NAME is 'aes128-ctr'

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: RSA -------------------------------------------------------

debug1: Host '192.168.1.54' is known and matches the RSA host key.

debug1: Found key in /home/user1/.ssh/known_hosts:1

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: password,keyboard-interactive,hostbased

debug1: Next authentication method: keyboard-interactive

debug1: Authentications that can continue: password,keyboard-interactive,hostbased

debug1: Next authentication method: password

debug1: Authentication succeeded (password).

Authenticated to 192.168.1.54 ([192.168.1.54] :22).

debug1: Final hpn_buffer_size = 131072

debug1: HPN Disabled: 0, HPN Buffer Size: 131072

debug1: channel 0: new [client-session]

debug1: Enabled Dynamic Window Scaling

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

shell request failed on channel 0

```

shell request failed on channel 0

I am thinking that it might have to do with some sshd_config setings but cannot figure out which ones. Any ideas?

----------

## salahx

THe only reason I can think of that setuid() would fail with that error this: RLIMIT_NPROC and setuid()

----------

## HeXiLeD

I believe i may have solved the setuid issue. Howver the shell request failed on channel 0 is still ongoing. Not sure if they are related but i get the same problem with telnet.

I can telnet without any problems to the selected user as long as the user does not run X. If the user runs X then the same problem happens as described above.

Along with this if i telnet or ssh to the box using a user login that does not uses X; as i said before everything works but once i connect using telnet or ssh and then start X for the logged in user (locally) and try to run any application through ssh or telnet; such as htop, or mc i get the following error:

```
-bash: fork: Resource temporarily unavailable.
```

Which takes me to this forgotten post of mine

I have also deleted all user .X* as well as .bashrc

----------

## HeXiLeD

A just found interesting details. This may not be related to X; at least directly.

I use fluxbox and have a few applications starting once i startx.

I just found out that -bash: fork: Resource temporarily unavailable. only happens if i have some applications running on X like following:

firefox

seamonkey

thunderbird

libreoffice

amule

skype

nicotine+

audacious

However for these i get no trouble:

vlc

dvdrip

dillo

opera

links -g

abiword

audacity

nero

celestia

stellarium

pidgin

amsn 

```
user1@box ~ $ ulimit 

unlimited

user1@box ~ $ ulimit -u

31647
```

```
# cat cat /etc/security/limits.conf 

# /etc/security/limits.conf

#

#Each line describes a limit for a user in the form:

#

#<domain>        <type>  <item>  <value>

#

#Where:

#<domain> can be:

#        - an user name

#        - a group name, with @group syntax

#        - the wildcard *, for default entry

#        - the wildcard %, can be also used with %group syntax,

#                 for maxlogin limit

#

#<type> can have the two values:

#        - "soft" for enforcing the soft limits

#        - "hard" for enforcing hard limits

#

#<item> can be one of the following:

#        - core - limits the core file size (KB)

#        - data - max data size (KB)

#        - fsize - maximum filesize (KB)

#        - memlock - max locked-in-memory address space (KB)

#        - nofile - max number of open files

#        - rss - max resident set size (KB)

#        - stack - max stack size (KB)

#        - cpu - max CPU time (MIN)

#        - nproc - max number of processes

#        - as - address space limit (KB)

#        - maxlogins - max number of logins for this user

#        - maxsyslogins - max number of logins on the system

#        - priority - the priority to run user process with

#        - locks - max number of file locks the user can hold

#        - sigpending - max number of pending signals

#        - msgqueue - max memory used by POSIX message queues (bytes)

#        - nice - max nice priority allowed to raise to values: [-20, 19]

#        - rtprio - max realtime priority

#

#<domain>      <type>  <item>         <value>

#

#*               soft    core            0

#*               hard    rss             10000

#@student        hard    nproc           20

#@faculty        soft    nproc           20

#@faculty        hard    nproc           50

#ftp             hard    nproc           0

#@student        -       maxlogins       4

# End of file
```

----------

## salahx

If fork() is failing with EAGAIN and its not due to the user process limit then its hitting some other resource limit - either insufficient RAM (but unless overcommit is disabled the OOM killer would have triggered well before this) or something other limit, more than /proc/sys/kernel/pid_max processes, some cgroup limit, etc

----------

## HeXiLeD

From 4 GB of RAM when the box boots it only uses 400mb or less. after the applications are running i still have a lot of free RAM.

```
 $ free

             total       used       free     shared    buffers     cached

Mem:       4051568    3444928     606640          0     146408    1312108

-/+ buffers/cache:    1986412    2065156

Swap:      2048280      28948    2019332
```

I tried to look for group/user kernel limits but did not find something that looked relevant. Maybe something is missing somewhere.

Current kernel configuration:

Linux/x86_64 3.2.2 Kernel Configuration

----------

## HeXiLeD

Solved now with the following:

```
OpenSSH_5.9p1-hpn13v11, OpenSSL 1.0.0h

net-misc/openssh-5.9_p1-r4 USE="X -X509 hpn -kerberos -ldap -libedit -pam (-selinux) -skey -static tcpd"
```

And using the following configuration options:

```
#       $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options override the

# default value.

###############################################################################

# Allow specific users to login

#AllowUsers <user1> <user2> <user3> or <user@ip>

# AllowGroups powerusers

# AllowUsers user1@ip user2@ip user3@ip user4@ip

AllowUsers user1 user2@<ip> 

#AllowGroups powerusers

#AllowUsers user1@ip user2@ip user3@ip user4@ip

###############################################################################

Port 22

AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

###############################################################################

# The default requires explicit activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_rsa_key

# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 1024

###############################################################################

# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel INFO

###############################################################################

# Authentication:

LoginGraceTime 1m

PermitRootLogin yes # Since it is lan restricted by ip

StrictModes yes

MaxAuthTries 3

MaxSessions 10

RSAAuthentication yes

PubkeyAuthentication no #was yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

###############################################################################

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd no

#KerberosTicketCleanup no

#KerberosGetAFSToken no

###############################################################################

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials no

#GSSAPIStrictAcceptorCheck no

###############################################################################

# Pam Option

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

###############################################################################

ChrootDirectory none

AllowAgentForwarding yes

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

X11DisplayOffset 10

X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel yes

###############################################################################

# Default banner path

Banner /etc/ssh/banner

###############################################################################

# override default of no subsystems

# http://en.gentoo-wiki.com/wiki/SFTP_Server

Subsystem       sftp    /usr/lib64/misc/sftp-server

###############################################################################

# the following are HPN related configuration options

# tcp receive buffer polling. disable in non autotuning kernels

#TcpRcvBufPoll yes

# allow the use of the none cipher

#NoneEnabled no

# disable hpn performance boosts.

HPNDisabled no

# buffer size for hpn to non-hpn connections

HPNBufferSize 2048

###############################################################################

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server
```

Topic is SOLVED

----------

