#10: The maxlogins limit doesn't work -----------------------+------------------------------ Reporter: wmknapik | Owner: pam-developers@… Type: defect | Status: new Priority: major | Component: library Version: 1.1.x | Keywords: maxlogins Blocked By: | Blocking: -----------------------+------------------------------ {{{ # We limit the max number of logins for user "user" to 1 on machine1. # The machine has since been rebooted. machine1 $ grep '^user.*maxlogins' /etc/security/limits.conf user soft maxlogins 1 user hard maxlogins 1 machine1 $
# On machine2 we have a simple test written as a makefile. machine2 $ cat test.mk MAKEFLAGS += -j tests := test1 test2
all: $(tests) $(tests): ssh -f -q -t -t -i key -p 22210 -o 'StrictHostKeyChecking no' user@machine1 "sleep 1d; echo $@" machine2 $
# We run the makefile in parallel (-j set in the makefile). machine2 $ make -f test.mk machine2 $
# Two processes managed to log in to machine1 despite the limit. machine2 $ pgrep -lf 'ssh.*test[12]$' 28871 ssh -f -q -t -t -i key -p 22210 -o StrictHostKeyChecking no user@machine1 sleep 1d; echo test2 28872 ssh -f -q -t -t -i key -p 22210 -o StrictHostKeyChecking no user@machine1 sleep 1d; echo test1 machine2 $
# Let's log into machine1 as root and see if there are actually two # sessions open for user "user". machine2 $ ssh -i key -p 22210 -o "StrictHostKeyChecking no" root@machine1 machine1 $ w USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT k3 pts/0 10.159.69.154 13:14 3:34 0.00s 0.00s bash -c sleep 1d; echo test1 k3 pts/1 10.159.69.154 13:14 3:34 0.00s 0.00s bash -c sleep 1d; echo test2 root pts/2 10.159.69.154 13:17 0.00s 0.03s 0.00s w machine1 $
# This test works as described above in at least one in 5 tries. # Sometimes the limits do work and the second ssh process is not let in. }}}
#10: The maxlogins limit doesn't work ----------------------+------------------------------- Reporter: wmknapik | Owner: pam-developers@… Type: defect | Status: new Priority: major | Component: modules Version: 1.1.x | Resolution: Keywords: maxlogins | Blocked By: Blocking: | ----------------------+------------------------------- Changes (by wmknapik):
* component: library => modules
#10: The maxlogins limit doesn't work ----------------------+------------------------------- Reporter: wmknapik | Owner: pam-developers@… Type: defect | Status: new Priority: major | Component: modules Version: 1.1.x | Resolution: Keywords: maxlogins | Blocked By: Blocking: | ----------------------+-------------------------------
Comment (by tmraz):
I suppose this is a race condition, that is caused by the fact, that the maximum logins is enforced during the pam session call but the user sessions in utmp are established only after the pam session call is finished. So two simultaneous logins do not see each other. It would be really hard if not impossible to fix this race.
But we can document this race in the pam_limits manual page.
#10: The maxlogins limit doesn't work ----------------------+------------------------------- Reporter: wmknapik | Owner: pam-developers@… Type: defect | Status: closed Priority: major | Component: modules Version: 1.1.x | Resolution: wontfix Keywords: maxlogins | Blocked By: Blocking: | ----------------------+------------------------------- Changes (by kukuk):
* status: new => closed * cc: kukuk@… (added) * resolution: => wontfix
Comment:
utmp isn't really safe against concurrent logins. I documented this now in the limits.conf.5 manual page. There is no real way to implement this in a really safe way, this would need kernel support.
pam-developers@lists.fedorahosted.org