openssh + pam errors (fwd)

Damien Miller djm at
Tue Feb 12 17:16:35 EST 2002

On Tue, 12 Feb 2002, Rob Mosher wrote:

> heres a fix for pam support im openssh, inline and attached..  openssh
> calls do_pam_session early, before a fork().  it does this on the proc
> still running as root, so it checks the users limits, against what root
> has running, and depending on limits can fail at the fork() (and almost
> always does).  this patch moves it past the fork.  ive been running it for
> a couple of weeks and everything seems good.  i used to have to use
> uselogin yes and set the limits with login because openssh was broken,
> but this takes care of it.

BTW this is bug #83[1], here is my commentry on the bug itself. Please 
post followups through bugzilla.

> The problem is that we call pam_session as root, before we fork the 
> child. Therefore the server picks up the limits, rather than the child. 
> I recall that we tried moving the pam_session call to the child a while
> (~18 months) ago to avoid this problem, but other stuff broke much 
> worse. IIRC the breakage was because we did pam_session stuff in one 
> process (as non-root)  and then did cleanup in another process (as 
> root).
> A possible way around this is with a gratuitous fork() before we call
> pam_session, but that is pretty ugly.



More information about the openssh-unix-dev mailing list