Red Hat Bugzilla – Bug 131572
pam_limits.so maxlogins incorrect behavior for console login
Last modified: 2015-01-07 19:08:28 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Description of problem: After configuring the maxlogins parameter on /etc/security/limits.conf I get an odd behavior when trying to login multiple times with different user accounts. The following line is inserted in /etc/security/limits.conf: * hard maxlogins 2 After rebooting the system I am able to login with user1 (a regular unprivileged user) at three terminals simultaneously. I then proceed to login with user2 (another regular unprivileged user) at the fourth terminal and to my surprise I get a message stating that user2 has exceeded his maximum login count. The point is that user2 is not logged on at all. The same happens with other users. I must then logoff with user1 (at least from one terminal) to be able to login with user2. Version-Release number of selected component (if applicable): pam-0.75-54 How reproducible: Always Steps to Reproduce: 1. Insert "* hard maxlogins 2" in /etc/security/limits.conf. 2. Reboot. 3. Login with the same unpriviliged user on three differente terminals. 4. Try to login with another unpriviliged user on yet another terminal. Actual Results: I am unable to login with the second unpriviliged user and get a message stating such user has exceeded his maximum login count. Expected Results: Login with the second user should be normal as it is not logged on at all. Additional info: This is my /etc/pam.d/system-auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so This is my /etc/pam.d/login file: #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so
Note this is fixed with the latest pam errata but you need to use & instead of * because the behaviour of * couldn't be changed so other users which depend on it's current behaviour configurations wouldn't got broken configurations. Also note that pam-0.77 and higher uses the * character in the meaning you expect and it uses % character for the behaviour of pam-0.75's *.