How to successfully run pam_limits with sshd privilege separation disabled?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Dell - Internal Use - Confidential
All,

I see OpenSSH 7.4 was released in Dec, 2016.  Reading the release notes, I see this comment:


Future deprecation notice

=========================



We plan on retiring more legacy cryptography in future releases,

specifically:

...

* The next release of OpenSSH will remove support for running sshd(8)
   with privilege separation disabled.

...


This list reflects our current intentions, but please check the final

release notes for future releases.


Here's my question.  How can you successfully run pam_limits.so with sshd privilege separation?

It's very common for the administrative account on Linux-based apps to bump up limit settings.  Such as "nofiles", for applications that get a lot of concurrent client connections.

Here's an example /etc/pam.d/limits.conf file:

oracle           hard    memlock         unlimited
oracle           soft    memlock         unlimited
# processoemagent setting for nofile hard and soft limit is 4096
processoemagent   hard   nofile    4096
processoemagent   soft   nofile    4096

As you know, only root can upsize the default limits.  So without privilege separation, the child sshd process runs as root, upsizes the limits as specified in limits.conf file and then drops down to the specific user.  Life is good.

Without privilege separation, the child sshd seems to run as the regular user and so upsizing these limits settings seems to fail.

Spike
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux