[Bug 83] New: fork() fails when there are PAM limits set

Darren Moffat Darren.Moffat at eng.sun.com
Fri Feb 1 05:03:27 EST 2002

>>  The problem is, when you set some resource limits in 
>> for group X - nproc 20 ( maximum of running user processes - 20 ), and try 
>> log with some user with group X, sshd says 'fork failed - resource 
>> unavialable'. There are no other processes running for this user, and as 
far as
>> i've seen, it makes something like authenticate-set limits-fork()-setuid() 
, and
>> because there is a moment when it's running under root with really lowered
>> limits, it bombs out. 
>>   Any solutions?
>My understanding of this is that it's a result of a fundamental
>mis-design of PAM - you have to do the entire PAM conversation in one
>go (as root), so this sort of PAM-based limiting is always going to be
>prone to this sort of error.

No.  There is nothing wrong with the PAM API.

The problem here is misconfiguration of particular pam module provided
by some Linux distributions and how it interacts with OpenSSH.  The problem
is the module not the PAM API.

Darren J Moffat

More information about the openssh-unix-dev mailing list