openssh + pam errors (fwd)
Damien Miller
djm at mindrot.org
Tue Feb 12 17:16:35 EST 2002
On Tue, 12 Feb 2002, Rob Mosher wrote:
> heres a fix for pam support im openssh, inline and attached.. openssh
> calls do_pam_session early, before a fork(). it does this on the proc
> still running as root, so it checks the users limits, against what root
> has running, and depending on limits can fail at the fork() (and almost
> always does). this patch moves it past the fork. ive been running it for
> a couple of weeks and everything seems good. i used to have to use
> uselogin yes and set the limits with login because openssh was broken,
> but this takes care of it.
BTW this is bug #83[1], here is my commentry on the bug itself. Please
post followups through bugzilla.
> The problem is that we call pam_session as root, before we fork the
> child. Therefore the server picks up the limits, rather than the child.
>
> I recall that we tried moving the pam_session call to the child a while
> (~18 months) ago to avoid this problem, but other stuff broke much
> worse. IIRC the breakage was because we did pam_session stuff in one
> process (as non-root) and then did cleanup in another process (as
> root).
>
> A possible way around this is with a gratuitous fork() before we call
> pam_session, but that is pretty ugly.
-d
[1] http://bugzilla.mindrot.org/show_bug.cgi?id=83
More information about the openssh-unix-dev
mailing list