[ale] sshd and PAM

Joe Bayes jbayes at spoo.mminternet.com
Wed Nov 19 21:00:30 EST 2003


Chris Ricker typeth:

>The docs, such as they are, are 
>/usr/share/doc/pam-0.77/txts/README.pam_stack

Shoot, why couldn't I find those? I read the HTML docs, which don't
mention it; I guess I didn't look at the txt ones. 

>/etc/pam.d/system-auth
>----------------------
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>
>and 
>
>/etc/pam.d/sshd
>---------------
>auth       required     pam_stack.so service=system-auth
>auth       required     pam_nologin.so
>password   required     pam_stack.so service=system-auth
>session    required     pam_stack.so service=system-auth
>session    optional     pam_console.so
>
>Then the contents of the system-auth config file get substituted by
>pam_stack, so your effective sshd config is:
>
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth       required     pam_nologin.so
>password   required     pam_stack.so service=system-auth
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>session    optional     pam_console.so

Wouldn't the 
password   required     pam_stack.so service=system-auth
line also get replaced by all the "password" lines in
/etc/pam.d/system-auth as well? (In this case, it would be ignored, right?)

>If you post /etc/pam.d/system-auth in addition to the /etc/pam.d/sshd, then 
>we can piece them together and figure it out....

Okay, get this. /etc/pam.d/system-auth contains the following two
"session" lines:
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

/etc/security/limits.conf contains a bunch of comments, and 
*              soft    core            50000
*              hard    core            100000

When I comment out the "hard" line, I can ssh in. When I don't, I
can't. Isn't that line just supposed to limit the size of a core dump
to 100K? I played with the size of the limit, and it still prevents me
from logging in with the limit at 1 or 100000, but at 0 (which iirc
means "unlimited") I can log in. 

Anyways, I can just comment out the line and problem solved, so thanks
for your help. This is something that *should* work, though, right? If
so, and if somebody can confirm it on their system, I'll submit a bug
report.

Thanks again.

Joe

--
Joe Bayes -- jbayes at spoo.mminternet.com



More information about the Ale mailing list