Bug 190456 - limits.conf ignored by ssh pam logins
Summary: limits.conf ignored by ssh pam logins
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam   
(Show other bugs)
Version: 4.0
Hardware: x86_64 Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2006-05-02 15:38 UTC by Timothy Stotts
Modified: 2015-01-08 00:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-03 06:42:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File from /etc/ssh/sshd_config (1.46 KB, text/plain)
2006-05-02 22:37 UTC, Timothy Stotts
no flags Details
File from /etc/pam.d/sshd . (317 bytes, text/plain)
2006-05-02 22:38 UTC, Timothy Stotts
no flags Details
File from /etc/security/limits.conf (1.56 KB, text/plain)
2006-05-02 22:40 UTC, Timothy Stotts
no flags Details

Description Timothy Stotts 2006-05-02 15:38:14 UTC
All pam authentication ignores the limits.conf settings, whether ssh or physical

Version-Release number of selected component (if applicable):
pam-0.77-66.13 (/lib and /lib64 binaries)

How reproducible:
Configure /etc/security/limits.conf.  Login via any method.  Notice that the
limits are not applied by running 'ulimit -a'.  Notice that contents of
/etc/pam.d/system-auth and other /etc/pam.d/ files are correct, and require
limits modules.

Steps to Reproduce:
1. configure /etc/security/limits.conf to limit RSS memory to any value for group
2. create group users; create a user and added to group 'users'
3. login with new user
4. look at ulimit -a, that RSS memory is unlimited
Actual results:
no limits are applied, not RSS nor no. procs., or any other limit

Expected results:
limits to apply in same fashion as RHE3

Additional info:

Comment 1 Tomas Mraz 2006-05-02 16:16:18 UTC
Could you try to upgrade to the latest pam package available? (0.77-66.14)

And if it doesn't help could you attach your /etc/security/limits.conf here?

Comment 2 Timothy Stotts 2006-05-02 22:35:04 UTC
Updated to pam-0.77-66.14 .

Overwrote configs with .rpmnew for all of /etc/pam.d/ and /etc/security/ .

   /bin/su - user
   limits are applied just as expected.

   ssh user@localhost
   limits are not applied

Comment 3 Timothy Stotts 2006-05-02 22:37:27 UTC
Created attachment 128523 [details]
File from /etc/ssh/sshd_config

This config works fine with limits on RHEL3 .

Comment 4 Timothy Stotts 2006-05-02 22:38:59 UTC
Created attachment 128524 [details]
File from /etc/pam.d/sshd .

Comes with openssh-3.9p1-8.RHEL4.9 .

Comment 5 Timothy Stotts 2006-05-02 22:40:32 UTC
Created attachment 128525 [details]
File from /etc/security/limits.conf

Each limit applies perfectly when using '/bin/su - user', but not via ssh.
Console login behavior, unknown.

Comment 6 Timothy Stotts 2006-05-02 22:57:37 UTC
Updated to openssh-3.9p1-8.RHEL4.12 and restarted service.  No difference.

Comment 7 Timothy Stotts 2006-05-02 23:06:37 UTC
Added explicit 'UsePAM yes' to /etc/ssh/sshd_config.
Limits are now applied correctly.

Apparently, PAM authentication was default on RHEL3, but is not on RHEL4.  
Used a Gentoo box to figure this out :-).

Comment 8 Tomas Mraz 2006-05-03 06:42:58 UTC
NOTABUG as 'UsePAM yes' is in the default sshd_config in the openssh package.
After upgrade you must compare the .rpmnew file and the old one and make
appropriate changes.

Note You need to log in before you can comment on or make changes to this bug.