Spike.White at dell.com
2017-Feb-27 23:08 UTC
How to successfully run pam_limits with sshd privilege separation disabled?
Dell - Internal Use - Confidential All, I see OpenSSH 7.4 was released in Dec, 2016. Reading the release notes, I see this comment: Future deprecation notice ======================== We plan on retiring more legacy cryptography in future releases, specifically: ... * The next release of OpenSSH will remove support for running sshd(8) with privilege separation disabled. ... This list reflects our current intentions, but please check the final release notes for future releases. Here's my question. How can you successfully run pam_limits.so with sshd privilege separation? It's very common for the administrative account on Linux-based apps to bump up limit settings. Such as "nofiles", for applications that get a lot of concurrent client connections. Here's an example /etc/pam.d/limits.conf file: oracle hard memlock unlimited oracle soft memlock unlimited # processoemagent setting for nofile hard and soft limit is 4096 processoemagent hard nofile 4096 processoemagent soft nofile 4096 As you know, only root can upsize the default limits. So without privilege separation, the child sshd process runs as root, upsizes the limits as specified in limits.conf file and then drops down to the specific user. Life is good. Without privilege separation, the child sshd seems to run as the regular user and so upsizing these limits settings seems to fail. Spike