Bug 190456 - limits.conf ignored by ssh pam logins
limits.conf ignored by ssh pam logins
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-02 11:38 EDT by Timothy Stotts
Modified: 2015-01-07 19:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-03 02:42:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
File from /etc/ssh/sshd_config (1.46 KB, text/plain)
2006-05-02 18:37 EDT, Timothy Stotts
no flags Details
File from /etc/pam.d/sshd . (317 bytes, text/plain)
2006-05-02 18:38 EDT, Timothy Stotts
no flags Details
File from /etc/security/limits.conf (1.56 KB, text/plain)
2006-05-02 18:40 EDT, Timothy Stotts
no flags Details

  None (edit)
Description Timothy Stotts 2006-05-02 11:38:14 EDT
All pam authentication ignores the limits.conf settings, whether ssh or physical
login.


Version-Release number of selected component (if applicable):
pam-0.77-66.13 (/lib and /lib64 binaries)

How reproducible:
Configure /etc/security/limits.conf.  Login via any method.  Notice that the
limits are not applied by running 'ulimit -a'.  Notice that contents of
/etc/pam.d/system-auth and other /etc/pam.d/ files are correct, and require
limits modules.

Steps to Reproduce:
1. configure /etc/security/limits.conf to limit RSS memory to any value for group
users
2. create group users; create a user and added to group 'users'
3. login with new user
4. look at ulimit -a, that RSS memory is unlimited
  
Actual results:
no limits are applied, not RSS nor no. procs., or any other limit

Expected results:
limits to apply in same fashion as RHE3

Additional info:
Comment 1 Tomas Mraz 2006-05-02 12:16:18 EDT
Could you try to upgrade to the latest pam package available? (0.77-66.14)

And if it doesn't help could you attach your /etc/security/limits.conf here?
Comment 2 Timothy Stotts 2006-05-02 18:35:04 EDT
Updated to pam-0.77-66.14 .

Overwrote configs with .rpmnew for all of /etc/pam.d/ and /etc/security/ .

CASE 1:
   /bin/su - user
   limits are applied just as expected.

CASE 2:
   ssh user@localhost
   limits are not applied
Comment 3 Timothy Stotts 2006-05-02 18:37:27 EDT
Created attachment 128523 [details]
File from /etc/ssh/sshd_config

This config works fine with limits on RHEL3 .
Comment 4 Timothy Stotts 2006-05-02 18:38:59 EDT
Created attachment 128524 [details]
File from /etc/pam.d/sshd .

Comes with openssh-3.9p1-8.RHEL4.9 .
Comment 5 Timothy Stotts 2006-05-02 18:40:32 EDT
Created attachment 128525 [details]
File from /etc/security/limits.conf

Each limit applies perfectly when using '/bin/su - user', but not via ssh.
Console login behavior, unknown.
Comment 6 Timothy Stotts 2006-05-02 18:57:37 EDT
Updated to openssh-3.9p1-8.RHEL4.12 and restarted service.  No difference.
Comment 7 Timothy Stotts 2006-05-02 19:06:37 EDT
Added explicit 'UsePAM yes' to /etc/ssh/sshd_config.
Limits are now applied correctly.

Apparently, PAM authentication was default on RHEL3, but is not on RHEL4.  
Used a Gentoo box to figure this out :-).

Comment 8 Tomas Mraz 2006-05-03 02:42:58 EDT
NOTABUG as 'UsePAM yes' is in the default sshd_config in the openssh package.
After upgrade you must compare the .rpmnew file and the old one and make
appropriate changes.

Note You need to log in before you can comment on or make changes to this bug.