Hi Gurus,
Thanks to Tom Webster and Patrick Schemitz. Tom has suggested two possible
solutions:
1) Change ssh configuration file
In particular, change the "UseLogin" option to "yes". This should enforce
ssh to use login(1) as part of the login process and follow C2 restrictions.
I have done this is the ssh1 configuration file but it did not work (ssh2
has not such a option). Tom recommended OpenSSH but since we have plain
ssh1 and ssh2 installed we did not try OpenSSH.
2) Use dxkerneltuner(8X) to activate autonice in the kernel.
We have not tried this because we do not know if this would affect also
system daemons.
Patrick, being the author of AND (auto nice daemon), called our attention to
it; see
http://and.sourceforge.net/. AND works for several operating systems
including Tru64 Unix 4.0x and problably works also for 5.0x. Looks like being
simple to install and configure and it is just what we are looking for. However
we are taking by now a simpler solution: just renice to 20 the sshd daemons
after any reboot; all ssh connections will have then nice number 20 as well as
all starting shell processes by that user.
As a final note, I have found a reference to "autonice", that has the same
purpose of "and". It is in ftp.ba.cnr.it/pub/users/massimo/autonice-0.6 .
Regards,
Oyanarte Portilho
Institute of Physics
University of Brasilia, Brazil
=======================
Original post:
> We installed tru64 5.0a with enhanced security on our boxes. However
> when connections are made through ssh and users start to run any
> program, the nice number (set to 20) stablished in the security controls
> of the account manager is not obeyed. As a result, the machine does not
> allow any further logins, even for root, because the cpu gets too busy
> running the code with high priority. This happens when the user eventually
> forgets to renice his process to 20. This also occurred when we had tru64
> 4.0 but the super user could login and renice the eager process manually.
> Does anybody know how to solve this problem? In the old times I heard
> about "autonice", a code that could renice processes automatically but I
> do not know if this would work under 5.0a.
Received on Thu Mar 08 2001 - 21:42:26 NZDT