FreeIPA allocates a random uid range for its use between 200k and 2G. If an user with uid like 1280000008 logs in, the lastlog file size jumps to almost 400G as lastlog is defined as a sparse file. The problem is when PAM with pam_limit module is used and the user has fsize limit set. When sshd monitor process tries to write lastlog file, it's already limited by pam_limit as a pam session is opened. And when the lastlog file is bigger than the fsize limit, the process gets SIGXFSZ signal and silently dies. In other cases when lastlog entry can't be written, sshd logs the problem and continues. Therefore I think that SIGXFSZ signal could be ignored in the monitor process. atomicio() would set correctly errno and lastlog_write_entry() would log the file size problem.
Created attachment 2461 [details] Ignore SIGXFSZ in preauth monitor
This will be in openssh-6.7
Unfortunatelly, it doesn't fix the issue. lastlog is written in postauth phase so SIGXFSZ has to be ignored there.
Created attachment 2462 [details] Ignore SIGXFSZ in postauth monitor child Using this patch, the following message is logged in the described scenario: Aug 26 16:31:14 hulk.w.lan sshd[27852]: lastlog_write_entry: Error writing to /var/log/lastlog: File too large Reproducer: - create an user with uid 1280000008 - set openssh to use pam - set pam to use pam_limit.so session required pam_limits.so - add following line to /etc/security/limits.conf user hard fsize 1024000 - try to login as user
Created attachment 2463 [details] Ignore SIGXFSZ in postauth monitor child
applied - thanks
Close all bugs left open from 6.6 and 6.7 releases.