1

We recently upgraded a high volume CentOS 7 SFTP server running openssh/internal-sftp to Rocky Linux 8.

However, since the upgrade we are experiencing login timeout issues after the server has been running for 1-2 hours. This seems to be related to the number of open SFTP sessions and/or systemd --user processes.

After 1-2 hours new SFTP logins become extremely slow and we start seeing these messages in the log

Apr 14 12:16:58 sftp sshd[330585]: pam_systemd(sshd:session): Failed to create session: Connection timed out

Sometimes it clears up if enough SFTP sessions are closed fast enough, but more often we have to reboot the server to restore normal service.

Would it be advisable to disable systemd-logind as this doesn't seem needed for SSH?

UPDATE
Not sure if this is relevant, but systemctl list-units --state=abandoned returns 100's of abandoned sessions.

UPDATE 2
After disabling pam_systemd.so system is running normally again. This effectively disables systemd-logind for SSH sessions.

80% reduced system load indicates massive performance penalty using systemd-logind.

Is this normal?!

Improve this question
2
  • Welcome to systemd. Commented Apr 15 at 9:12
  • do not constat this behavior on AlmaLinux 8 (should be very close to RockyLinux) Commented Apr 15 at 9:57

1 Answer 1

Reset to default
2

I would first systemctl mask [email protected] as SFTP definitely doesn't need it. This would prevent systemd --user from being started while keeping systemd-logind in general, and I suspect it might be a good chunk of your performance issues.

Completely disabling pam_systemd is most fine for an SFTP-only server. The biggest downside is that all "session" processes then remain part of the sshd.service cgroup, instead of being moved to individual user/session cgroups, meaning that restarting sshd might kill all sessions including one's admin SSH shell. (It shouldn't, as sshd.service has KillMode=process, but I don't know if you can rely on that.)

So if possible, instead of removing it completely I would add a pam_succeed_if to skip the pam_systemd module only for SFTP clients but retain it for root and other sysadmin sessions (e.g. checking for members of "sftpusers", or not members of "wheel" or "sudoers")

session [success=1 default=ignore] pam_succeed_if.so user notingroup wheel session optional pam_systemd.so
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.