[Bug 83] New: fork() fails when there are PAM limits set
Darren Moffat
Darren.Moffat at eng.sun.com
Fri Feb 1 05:03:27 EST 2002
>> The problem is, when you set some resource limits in
/etc/security/limits.conf
>> for group X - nproc 20 ( maximum of running user processes - 20 ), and try
to
>> log with some user with group X, sshd says 'fork failed - resource
temporary
>> unavialable'. There are no other processes running for this user, and as
far as
>> i've seen, it makes something like authenticate-set limits-fork()-setuid()
, and
>> because there is a moment when it's running under root with really lowered
>> limits, it bombs out.
>> Any solutions?
>
>My understanding of this is that it's a result of a fundamental
>mis-design of PAM - you have to do the entire PAM conversation in one
>go (as root), so this sort of PAM-based limiting is always going to be
>prone to this sort of error.
No. There is nothing wrong with the PAM API.
The problem here is misconfiguration of particular pam module provided
by some Linux distributions and how it interacts with OpenSSH. The problem
is the module not the PAM API.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list