Bug 190456 - limits.conf ignored by ssh pam logins
Summary: limits.conf ignored by ssh pam logins
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-02 15:38 UTC by Timothy Stotts
Modified: 2015-01-08 00:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-03 06:42:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
File from /etc/ssh/sshd_config (1.46 KB, text/plain)
2006-05-02 22:37 UTC, Timothy Stotts 		no flags Details
File from /etc/pam.d/sshd . (317 bytes, text/plain)
2006-05-02 22:38 UTC, Timothy Stotts 		no flags Details
File from /etc/security/limits.conf (1.56 KB, text/plain)
2006-05-02 22:40 UTC, Timothy Stotts 		no flags Details
View All

Description Timothy Stotts 2006-05-02 15:38:14 UTC 
All pam authentication ignores the limits.conf settings, whether ssh or physical
login.


Version-Release number of selected component (if applicable):
pam-0.77-66.13 (/lib and /lib64 binaries)

How reproducible:
Configure /etc/security/limits.conf.  Login via any method.  Notice that the
limits are not applied by running 'ulimit -a'.  Notice that contents of
/etc/pam.d/system-auth and other /etc/pam.d/ files are correct, and require
limits modules.

Steps to Reproduce:
1. configure /etc/security/limits.conf to limit RSS memory to any value for group
users
2. create group users; create a user and added to group 'users'
3. login with new user
4. look at ulimit -a, that RSS memory is unlimited
  
Actual results:
no limits are applied, not RSS nor no. procs., or any other limit

Expected results:
limits to apply in same fashion as RHE3

Additional info:
Comment 1 Tomas Mraz 2006-05-02 16:16:18 UTC 
Could you try to upgrade to the latest pam package available? (0.77-66.14)

And if it doesn't help could you attach your /etc/security/limits.conf here?
Comment 2 Timothy Stotts 2006-05-02 22:35:04 UTC 
Updated to pam-0.77-66.14 .

Overwrote configs with .rpmnew for all of /etc/pam.d/ and /etc/security/ .

CASE 1:
   /bin/su - user
   limits are applied just as expected.

CASE 2:
   ssh user@localhost
   limits are not applied
Comment 3 Timothy Stotts 2006-05-02 22:37:27 UTC 
Created attachment 128523 [details]
File from /etc/ssh/sshd_config

This config works fine with limits on RHEL3 .
Comment 4 Timothy Stotts 2006-05-02 22:38:59 UTC 
Created attachment 128524 [details]
File from /etc/pam.d/sshd .

Comes with openssh-3.9p1-8.RHEL4.9 .
Comment 5 Timothy Stotts 2006-05-02 22:40:32 UTC 
Created attachment 128525 [details]
File from /etc/security/limits.conf

Each limit applies perfectly when using '/bin/su - user', but not via ssh.
Console login behavior, unknown.
Comment 6 Timothy Stotts 2006-05-02 22:57:37 UTC 
Updated to openssh-3.9p1-8.RHEL4.12 and restarted service.  No difference.
Comment 7 Timothy Stotts 2006-05-02 23:06:37 UTC 
Added explicit 'UsePAM yes' to /etc/ssh/sshd_config.
Limits are now applied correctly.

Apparently, PAM authentication was default on RHEL3, but is not on RHEL4.  
Used a Gentoo box to figure this out :-).
Comment 8 Tomas Mraz 2006-05-03 06:42:58 UTC 
NOTABUG as 'UsePAM yes' is in the default sshd_config in the openssh package.
After upgrade you must compare the .rpmnew file and the old one and make
appropriate changes.
Note You need to log in before you can comment on or make changes to this bug.