Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 113559 - ssh privsep does not work with pam_limits.
ssh privsep does not work with pam_limits.
Status: CLOSED DUPLICATE of bug 111175
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jindrich Novy
Depends On:
  Show dependency treegraph
Reported: 2004-01-15 05:58 EST by Paul Jakma
Modified: 2013-07-02 18:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 14:00:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Jakma 2004-01-15 05:58:59 EST
Description of problem:

pam_limits is incompatible with privsep. If privsep is in use
following message is logged:

Jan 15 00:21:32 hibernia sshd[20396]: fatal: PAM session setup
failed[6]: Permission denied

And ssh login fails. The problem obviously being that pam_limits may
need elevated privileges itself in order to set limits.

To work around this either:

- do not use ssh with privsep


- chmod o-r /etc/security/limits.conf (

I notice Fedora seems to ship with the latter work around enabled.
However, this in itself is a problem as it silently ignores the limits
configuration. I'm not sure there is an easy solution to this - the
privilege seperated daemon (running as user) would need privileges
needed to set limits, possibly easiest solution would be for the
privsep'd daemon to retain CAP_SYS_RESOURCE until after it has
completed PAM authentication.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. run ssh server in privsep mode
2. configure pam_limits for ssh service make sure limits.conf is
readable to all
3. try to ssh to the server.
Actual results:

authentication succeeds, session setup fails, ssh session is dropped.

Expected results:

ssh session is created and user is able to login via ssh.

Additional info:

Comment 1 B.R. 2004-09-02 01:32:31 EDT
I believe this is a duplicate of bug 111175.


Comment 2 Jindrich Novy 2004-09-21 09:56:22 EDT

*** This bug has been marked as a duplicate of 111175 ***
Comment 3 Red Hat Bugzilla 2006-02-21 14:00:46 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.