How to successfully run pam_limits with sshd privilege separation disabled?
Spike.White at dell.com
Spike.White at dell.com
Tue Feb 28 10:08:51 AEDT 2017
Dell - Internal Use - Confidential
All,
I see OpenSSH 7.4 was released in Dec, 2016. Reading the release notes, I see this comment:
Future deprecation notice
=========================
We plan on retiring more legacy cryptography in future releases,
specifically:
...
* The next release of OpenSSH will remove support for running sshd(8)
with privilege separation disabled.
...
This list reflects our current intentions, but please check the final
release notes for future releases.
Here's my question. How can you successfully run pam_limits.so with sshd privilege separation?
It's very common for the administrative account on Linux-based apps to bump up limit settings. Such as "nofiles", for applications that get a lot of concurrent client connections.
Here's an example /etc/pam.d/limits.conf file:
oracle hard memlock unlimited
oracle soft memlock unlimited
# processoemagent setting for nofile hard and soft limit is 4096
processoemagent hard nofile 4096
processoemagent soft nofile 4096
As you know, only root can upsize the default limits. So without privilege separation, the child sshd process runs as root, upsizes the limits as specified in limits.conf file and then drops down to the specific user. Life is good.
Without privilege separation, the child sshd seems to run as the regular user and so upsizing these limits settings seems to fail.
Spike
More information about the openssh-unix-dev
mailing list