Since PAM session modules are run as root, we can turn pam_limits back on

by default, and it no longer spits out "Operation not permitted" to syslog
(closes: #171673).

2 files changed, 5 insertions, 3 deletions

diff --git a/debian/changelog b/debian/changelog
index a232b42da..a8259ef8e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ openssh (1:3.8p1-1) UNRELEASED; urgency=low
   * New upstream release (closes: #232281):
     - New PAM implementation based on that in FreeBSD. This runs PAM session
       modules before dropping privileges (closes: #132681, #150968).
+    - Since PAM session modules are run as root, we can turn pam_limits back
+      on by default, and it no longer spits out "Operation not permitted" to
+      syslog (closes: #171673).
     - Password expiry works again (closes: #153235).
     - 'ssh -q' suppresses login banner (closes: #134589).
     - sshd doesn't lie to PAM about invalid usernames (closes: #157078).
diff --git a/debian/ssh.pam b/debian/ssh.pam
index 81c18371e..8882053df 100644
--- a/debian/ssh.pam
+++ b/debian/ssh.pam
@@ -22,9 +22,8 @@ session    optional     pam_motd.so # [1]
 # Print the status of the user's mailbox upon successful login.
 session    optional     pam_mail.so standard noenv # [1]
 
-# Set up user limits. Uncomment this and read /etc/security/limits.conf to
-# enable this functionality.
-# session    required     pam_limits.so
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
 
 # Standard Un*x password updating.
 @include common-password