Red Hat Bugzilla – Bug 113559
ssh privsep does not work with pam_limits.
Last modified: 2013-07-02 18:58:58 EDT
Description of problem:
pam_limits is incompatible with privsep. If privsep is in use
following message is logged:
Jan 15 00:21:32 hibernia sshd: fatal: PAM session setup
failed: Permission denied
And ssh login fails. The problem obviously being that pam_limits may
need elevated privileges itself in order to set limits.
To work around this either:
- do not use ssh with privsep
- chmod o-r /etc/security/limits.conf (
I notice Fedora seems to ship with the latter work around enabled.
However, this in itself is a problem as it silently ignores the limits
configuration. I'm not sure there is an easy solution to this - the
privilege seperated daemon (running as user) would need privileges
needed to set limits, possibly easiest solution would be for the
privsep'd daemon to retain CAP_SYS_RESOURCE until after it has
completed PAM authentication.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run ssh server in privsep mode
2. configure pam_limits for ssh service make sure limits.conf is
readable to all
3. try to ssh to the server.
authentication succeeds, session setup fails, ssh session is dropped.
ssh session is created and user is able to login via ssh.
I believe this is a duplicate of bug 111175.
*** This bug has been marked as a duplicate of 111175 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.