OpenSSH and syslog

Pablo Castellazzi pcastellazzi at netlabs.com.uy
Fri Apr 17 16:58:26 AEST 2015


Hello.

Today i found an interesting problem related to OpenSSH. If you open enough connections to /dev/log which your current logger can’t handle, you can’t logging remotely using SSH which is blocked waiting for access to /dev/log.

To reproduce this problem i used CentOS 6 and 7 with the following script:

#!/bin/bash
for i in (1..500); do
  (yes | logger) &
done

For CentOS 6, 50 is enough to cause rsyslog to stop accepting connections. It’s a known limitation described here:
http://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html <http://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html>

For CentOS 7, the limit is around 450, i believe is for the same reason (but with systems this time), but i did not check.

I am not sure if this is a problem or a feature. I guess under some circumstances it would be appropriate to deny access if you can’t record it. On the other hand it makes too difficult to access cloud system which are under stress.

I would like to hear your thoughts about how should we handle this issue. It comes to mind some form of asynchronous logging or may be a timeout and a configuration option to make it non fatal.

Best Regards.
Pablo Castellazzi.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1727 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150417/40b131ee/attachment.bin>


More information about the openssh-unix-dev mailing list