Another round of testing calls.

Ed Phillips ed at UDel.Edu
Thu Oct 25 23:38:50 EST 2001

On Wed, 24 Oct 2001, Darren Moffat wrote:

> Date: Wed, 24 Oct 2001 17:44:25 -0700 (PDT)
> From: Darren Moffat <Darren.Moffat at>
> To: openssh-unix-dev at
> Subject: Re: Another round of testing calls.
> >How do you enforce PAM limits without opening a session then?
> pam_limits should probably be either an pam_acct_mgmt or pam_setid module.

What is pam_setid?  Do you mean pam_setcred?  pam_setcred has always been
a little fuzzy... the pam_setcred from has changed function
between Sol2.6 and Sol7.  In 2.6, pam_sm_setcred did nothing and
initgroups() was called by login or other apps directly.  In Sol7,
pam_sm_setcred actually called initgroups() and the apps were made
to call pam_setcred with expectations of it calling initgroups().

> pam_limits doesn't exist on Solaris.  Solaris does how ever have pam_projects
> which deals with setting resource control information for project(4).

Caveat: You won't see that man page unless you have installed something
like Sol8 1/01 or newer.  If you have FCS + all Recommended Patches, you
won't see it (even though the features exist).

> It isn't really clear from the man pages what the true purpose of
> pam_open_session is but it can be infered from the Solaris man pages that
> it is really about dealing with files like lastlog/utmpx/wtmpx.

Yeah, that's been my feeling too.  Also, I've seen it described somewhere
that pam_session can be used to do site-specific things that your custom
modules implement, like custom logging, etc.  The stock is
pretty simple and you're suppoesed to stack a home-brew module with it to
do something "meaningful".


Ed Phillips <ed at> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at for PGP public key

More information about the openssh-unix-dev mailing list