Thursday, December 22, 2011

Understanding PAM limits, pam.d, pam_limits.so, and /etc/pam.d/login

In the 10g world, Oracle often recommended adding the following line to /etc/pam.d/login in Linux installations:
session required /lib/security/pam_limits.so

In the 11g world, Oracle is not as explicit in recommending this setting.

What is this setting? Why is it needed?

Here are some points that might help clarify the purpose of this setting:
  • PAM stands for Pluggable Authentication Module.
  • PAM provides a way to develop programs that are independent of authentication scheme.
  • Adding this setting puts resource limits on login sessions.
  • The setting above can be added to /etc/pam.d/login, /etc/pam.d/sshd, or /etc/pam.d/su, depending on whether you want to set limits on 'login', 'ssh', or 'su' types of logins.
  • The PAM module (pam_limits.so) is not loaded by default for various applications such as 'login', 'ssh', or 'su', so adding it will explicitly load it enabling you to limit the login sessions.

It is recommended to add this setting, as well as process and file limits in /etc/securit/limits.conf. This will prevent exhaustion of OS resources under extremely heavy or unforeseen load, otherwise the server may become unresponsive and/or inaccessible. It is preferable to let the application fail and throw an error instead of the entire server crashing.

Check out this link for recommended settings.


References
  • http://blog.ipnweb.com/2011/10/setting-ulimit-for-oracle-soa-suite-11g.html
  • http://linux.die.net/man/8/pam_limits
  • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=63230
  • http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:454420165038
  • http://www.kernel.org/pub/linux/libs/pam/whatispam.html

Ahmed Aboulnaga

No comments: