Bug 113559 - ssh privsep does not work with pam_limits.
Summary: ssh privsep does not work with pam_limits.
Status: CLOSED DUPLICATE of bug 111175
Alias: None
Product: Fedora
Classification: Fedora
Component: pam   
(Show other bugs)
Version: 1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-01-15 10:58 UTC by Paul Jakma
Modified: 2013-07-02 22:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 19:00:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Paul Jakma 2004-01-15 10:58:59 UTC
Description of problem:

pam_limits is incompatible with privsep. If privsep is in use
following message is logged:

Jan 15 00:21:32 hibernia sshd[20396]: fatal: PAM session setup
failed[6]: Permission denied

And ssh login fails. The problem obviously being that pam_limits may
need elevated privileges itself in order to set limits.

To work around this either:

- do not use ssh with privsep


- chmod o-r /etc/security/limits.conf (

I notice Fedora seems to ship with the latter work around enabled.
However, this in itself is a problem as it silently ignores the limits
configuration. I'm not sure there is an easy solution to this - the
privilege seperated daemon (running as user) would need privileges
needed to set limits, possibly easiest solution would be for the
privsep'd daemon to retain CAP_SYS_RESOURCE until after it has
completed PAM authentication.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. run ssh server in privsep mode
2. configure pam_limits for ssh service make sure limits.conf is
readable to all
3. try to ssh to the server.
Actual results:

authentication succeeds, session setup fails, ssh session is dropped.

Expected results:

ssh session is created and user is able to login via ssh.

Additional info:


Comment 1 B.R. 2004-09-02 05:32:31 UTC
I believe this is a duplicate of bug 111175.


Comment 2 Jindrich Novy 2004-09-21 13:56:22 UTC

*** This bug has been marked as a duplicate of 111175 ***

Comment 3 Red Hat Bugzilla 2006-02-21 19:00:46 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.