Bug 25690 - fork resource limits (openssh/pam/kernel)
fork resource limits (openssh/pam/kernel)
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.1
i386 Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Aaron Brown
Florence Gold
:
: 27692 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-02-02 06:36 EST by martin.macok
Modified: 2005-10-31 17:00 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-16 06:21:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
"rpm -qa|sort" output (7.32 KB, text/plain)
2001-02-15 05:53 EST, martin.macok
no flags Details

  None (edit)
Description martin.macok 2001-02-02 06:36:42 EST
When I enter

@extern          hard    nproc           20

into /etc/security/limits.conf then openssh doesn't allow anybody from
group extern to log in remotely through ssh.

(SYSLOG: sshd[9523]: Disconnecting: fork failed: Resource temporarily
unavailable)

Other limits work well.

$ rpm -q pam openssh ; uname -a
pam-0.74-3
openssh-2.3.0p1-14
Linux xxxxxxxxxxx.mff.cuni.cz 2.4.1 #2 Wed Jan 31 13:14:29 CET 2001 i586
unknown

(BTW - same with up-to-date RH7.0 with Linux 2.4.x)
Comment 1 Glen Foster 2001-02-02 18:08:23 EST
We (Red Hat) should really fix this before the next release.
Comment 2 Nalin Dahyabhai 2001-02-13 04:41:09 EST
Please check if openssh-2.3.0p1-16 in http://people.redhat.com/nalin/test/ fixes
this for you.
Comment 3 martin.macok 2001-02-13 06:04:22 EST
No, this time it looks like it's ignoring /etc/security/limits.conf ...
User is allowed to log in but user can fork more processes than he is limited to.

maxlogins are also ignored (they're set to 4, but user is allowed to log in 6
times and more ...) priority is also ignored.

my /etc/pam.d/sshd:
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

my /etc/security/limits.conf:
ftp             hard    nproc           0
@extern          -       maxlogins       4
@extern          hard    nproc           20
@extern          hard    rss             40000
@extern          hard    priority        5
guest           hard    priority         10

I hope there is nothing special to "turn on" in kernel (I've got my own
2.4.2-pre2) or in sshd_config ... It worked before...
Comment 4 Nalin Dahyabhai 2001-02-13 16:48:46 EST
Ah, now I see.  There was some weirdness in how pam_limits handled group limits
on maximum logins (specifically, it didn't work).  Please try pam-0.74-8 in
http://people.redhat.com/nalin/test/, which should fix this.  Other items
(nprocs and friends) should already be working correctly with
openssh-2.3.0p1-16.
Comment 5 martin.macok 2001-02-13 17:51:21 EST
Does not work :( limits seemes to be ignored. User guest is allowed to log in
10-times and more and he can fork 60 and more processes. (same setup as above
with "guest" in group "extern" of course).

# rpm -q pam openssh ; uname -r
pam-0.74-8
openssh-2.3.0p1-16
2.4.2-pre2

The system is upgraded to current Rawhide.
Comment 6 Nalin Dahyabhai 2001-02-13 20:02:34 EST
Are you sure the user is in that group?  Is 'guest' listed when you run 'getent
group extern'?
Comment 7 martin.macok 2001-02-14 06:33:21 EST
[martin@sarah:~]% ssh -l guest -p 2222 localhost                        [11:37]
guest@localhost's password:
Last login: Wed Feb 14 11:37:03 2001 from localhost
You have mail.
[guest@sarah guest]$ id ; grep extern /etc/group ; getent group extern
uid=600(guest) gid=100(users) groups=100(users),603(extern)
extern:x:603:guest,...<censored list>
extern:x:603:guest,...<censored list>
[guest@sarah guest]$

<here I try to recursively or remotely repeat login to override maxlogins,
recursively run 60 shells ... with success> (see to /etc/pam.d/sshd &
/etc/security/limits.conf above)

If you need more info about configuration etc. ... just ask.
Comment 8 Nalin Dahyabhai 2001-02-14 12:12:59 EST
Try adding "debug" to the list of flags at the end of the pam_limits lines in
/etc/pam.d/ssh and /etc/pam.d/system-auth, the line "*.debug /var/log/debug" to
/etc/syslog.conf, and restarting both syslogd and sshd using their init scripts.

When you then attempt to log in, messages like these (along with others) should
be logged to /var/log/debug:
Feb 14 11:11:15 blade pam_limits[6814]: reading settings from
'//etc/security/limits.conf'
Feb 14 11:11:15 blade pam_limits[6814]: process_limit: processing(1) - maxlogins
4
Feb 14 11:11:15 blade pam_limits[6814]: checking logins for 'nalin' / 4
Feb 14 11:11:15 blade pam_limits[6814]: Too many logins (max 4) for nalin

If the limit you're setting is not shown being processed, then for whatever
reason, pam_limits has determined that the limit doesn't apply to the user who's
logging in.  If you don't see any of these, then it's likely that pam_limits
isn't being called (which is not happening on my test setup here).
Comment 9 martin.macok 2001-02-14 18:45:04 EST
Noo :(( look:

[root@ /etc/pam.d]# grep limit *
sshd:session    required     /lib/security/pam_limits.so debug
system-auth:session     required      /lib/security/pam_limits.so debug
[root@ /etc]# grep debug syslog.conf 
*.debug                 /var/log/debug
[root@ /var/log]# grep limit debug 
[root@ /var/log]# tail debug 
Feb 14 23:40:21 sarah sshd[13704]: Server listening on 0.0.0.0 port 2222.
Feb 14 23:40:21 sarah sshd[13704]: Generating 768 bit RSA key.
Feb 14 23:40:24 saFeb 14 23:40:59 sarah sshd[13712]: Accepted password for guest from 127.0.0.1 port 2298 ssh2
Feb 14 23:41:02 sarah sshd(pam_unix)[13712]: session closed for user guest
[root@ /etc]# rpm -q pam openssh ; uname -r
pam-0.74-8
openssh-2.3.0p1-16
2.4.2-pre2

:( Any suggestions? May I send somewhere "rpm -qa" or some other configuration? (The system is uptodate Rawhide ...)
Can the problem be somewhere else? Probably not because when I use pam/openssh from Rawhide, limits work well (except for nfork), with these versions it look like it's ignored ...
Comment 10 Nalin Dahyabhai 2001-02-14 21:26:45 EST
Yes, please attach the output of "rpm -qa | sort".  I'm baffled by this
problem.  There might be some clue there.
Comment 11 martin.macok 2001-02-15 05:53:11 EST
Created attachment 10080 [details]
"rpm -qa|sort" output
Comment 12 Nalin Dahyabhai 2001-02-16 11:14:14 EST
Um, that list includes pam-0.74-5 and openssh-2.3.0p1-14.  I'm assuming that's
that list of packages on the client, right?  The bugs are on the server end of
the connection, so I'd need that list.
Comment 13 Nalin Dahyabhai 2001-02-16 12:10:46 EST
*** Bug 27692 has been marked as a duplicate of this bug. ***
Comment 14 martin.macok 2001-02-16 12:18:46 EST
No, this is the server and these are the versions which now work for me (except
nfork that was the reason I reported this). When I did the tests, I always
downloaded and used the versions you told me to: (like this)

$ wget ...                        # download you versions
$ rpm --rebuild pam... openssh... # rebuild them
$ rpm -Uvh pam* openssh*          # upgrade to these new versions
$ <vi /etc/pam.d/... /etc/syslogd.conf .. ; restart sshd $ syslogd>
                  # add "debug" as you told me to
$ <do the test if limits work - NO>  # test if limits work - DOESNT :(
$ <report unsuccesfull tests>     # fill up bugzilla
$ rpm -Uvh openssh* pam* --oldpackage # downgrade back versions from Rawhide

So the "rpm -qa|sort" was the list on server (with rawhide's rpm's of
pam/openssh). When I did the tests I reported I ALWAYS USED YOUR VERSIONS of
openssh/pam (on the same machine - both client and server).
Comment 15 martin.macok 2001-03-05 05:01:36 EST
With openssh-2.5.1p1-2 and pam-0.74-12 (from rawhide) on release 7.0.91 (Wolverine) resource limits now work ok (fork, memory, priority ..) except for
MaxLogins:
limits.conf: 
@extern          -       maxlogins       4

but users from group extern are allowed to log more then 4 times ...
Comment 16 martin.macok 2001-03-08 07:40:20 EST
... and with newer rawhide's packages (openssh-2.5.1p1-7, pam-0.74-13) fork resource limits doesn't work (Disconnecting: fork failed: Resource temporarily
unavailable) and MaxLogins doesn't work (user from group @extern is allowed to login more times). Other limits (memory) seemes to work (according to "ulimit -a").
Comment 17 Nalin Dahyabhai 2001-03-09 15:06:22 EST
This is something of an architectural limitation.  I've been mulling over how
this could be fixed for a while now, but the crux of the problem is that sshd
opens the PAM session before it drops privileges (it has to, for modules like
pam_lastlog to work at all).  This causes the nproc limit to be affected by the
number of processes being run by the superuser (which is probably most of them),
so sshd is immediately unable to fork() off a child process to provide the login
session, and the whole thing fails.  That leaves the addition of a separate
limits processing stage to sshd's child process as the only viable solution, but
that may have to wait for another release.
Comment 18 martin.macok 2001-05-06 14:18:24 EDT
JFYI: the problem was not fixed in RH7.1 yet ... is it going to be in updates
someday? do you plan it?
Comment 19 Tomas Mraz 2004-09-16 06:21:15 EDT
Fixed in releases using pam-0.77.

Note You need to log in before you can comment on or make changes to this bug.