Hello Tomas,
The pam_handle_t is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions pam_set_item(3) and pam_get_item(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as
Thanks & Regards,
MINAL PATIL
From: Tomas Mraz <tmraz@xxxxxxxxxx>
To: Minal Patil <minalk.patil@xxxxxxxxx>; Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Sent: Friday, 19 December 2014 5:01 PM
Subject: Re: delay observed in pam_authenticate when called multiple times.
On Pá, 2014-12-19 at 09:06 +0000, Minal Patil wrote:
> Hello Sir/Madam,
> I am working on a PAM authentication module where i am seeing delay in pam_authenticate when called in sucessive manner.Below is my PAM function call sequence.
> pam_start()
> ...
> 1. pam_authenticate()
> 2. pam_authenticate()
> 3. pam_authenticate()
>
> 4. pam_authenticate()
>
> ....
>
> 1000.pam_authenticate()
> ....
> pam_end()
>
> It is observed that the first pam_authenticate responds with 40 ms. The response time goes up with every subsequent pam_authenticate call. for 1000 the call the response time is observed to be 2 seconds.
>
> Below are my system details:
>
> [myuser@myhost workdir]$ ls -l /lib/libpam*
> lrwxrwxrwx. 1 root root 17 Oct 18 2013 /lib/libpamc.so.0 -> libpamc.so.0.82.1
> -rwxr-xr-x. 1 root root 13764 Oct 15 2012 /lib/libpamc.so.0.82.1
> lrwxrwxrwx. 1 root root 21 Oct 18 2013 /lib/libpam_misc.so.0 -> libpam_misc.so.0.82.0
> -rwxr-xr-x. 1 root root 11460 Oct 15 2012 /lib/libpam_misc.so.0.82.0
> lrwxrwxrwx. 1 root root 16 Oct 18 2013 /lib/libpam.so.0 -> libpam.so.0.82.2
> -rwxr-xr-x. 1 root root 52540 Oct 15 2012 /lib/libpam.so.0.82.2
> [myuser@myhost workdir]$ uname -a
> Linux myhost 2.6.32-358.18.1.el6.i686 #1 SMP Fri Aug 2 17:10:27 EDT 2013 i686 i686 i386 GNU/Linux
> [myuser@myhost workdir]$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.4 (Santiago)
>
> I have observed the same behavior on RHEL 6.2 as well.
> https://www.redhat.com/mailman/listinfo/pam-list
Which PAM modules do you have configured in the PAM stack? Do you
observe the same behavior even with PAM stack containing a single:
auth required pam_permit.so
If not, you have to find out which PAM module causes the delay although
I suppose this can be multiple modules as PAM stack was not designed to
operate this way. You should always call pam_start() pam_authenticate()
and pam_end().
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
Really appreciate for your quick response on this. And apologies if I am asking repeated questions.
I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same.
[myuser@myhost ~]$ cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
Do you still recommend to recheck with only "auth required pam_permit.so" ?
To understand the API I was referring to the online documentation for linux-pam. (http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_authenticate)
On the same page in "What can be expected by the application" under "3.1.1.1. DESCRIPTION" below is mentioned.
The pam_handle_t is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions pam_set_item(3) and pam_get_item(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as
pam_end
was not called on
it before.
To me this implies that if pam_end is not called the same handle can be reused. Can you please reconfirm if the understanding is correct.
Thanks & Regards,
MINAL PATIL
From: Tomas Mraz <tmraz@xxxxxxxxxx>
To: Minal Patil <minalk.patil@xxxxxxxxx>; Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Sent: Friday, 19 December 2014 5:01 PM
Subject: Re: delay observed in pam_authenticate when called multiple times.
On Pá, 2014-12-19 at 09:06 +0000, Minal Patil wrote:
> Hello Sir/Madam,
> I am working on a PAM authentication module where i am seeing delay in pam_authenticate when called in sucessive manner.Below is my PAM function call sequence.
> pam_start()
> ...
> 1. pam_authenticate()
> 2. pam_authenticate()
> 3. pam_authenticate()
>
> 4. pam_authenticate()
>
> ....
>
> 1000.pam_authenticate()
> ....
> pam_end()
>
> It is observed that the first pam_authenticate responds with 40 ms. The response time goes up with every subsequent pam_authenticate call. for 1000 the call the response time is observed to be 2 seconds.
>
> Below are my system details:
>
> [myuser@myhost workdir]$ ls -l /lib/libpam*
> lrwxrwxrwx. 1 root root 17 Oct 18 2013 /lib/libpamc.so.0 -> libpamc.so.0.82.1
> -rwxr-xr-x. 1 root root 13764 Oct 15 2012 /lib/libpamc.so.0.82.1
> lrwxrwxrwx. 1 root root 21 Oct 18 2013 /lib/libpam_misc.so.0 -> libpam_misc.so.0.82.0
> -rwxr-xr-x. 1 root root 11460 Oct 15 2012 /lib/libpam_misc.so.0.82.0
> lrwxrwxrwx. 1 root root 16 Oct 18 2013 /lib/libpam.so.0 -> libpam.so.0.82.2
> -rwxr-xr-x. 1 root root 52540 Oct 15 2012 /lib/libpam.so.0.82.2
> [myuser@myhost workdir]$ uname -a
> Linux myhost 2.6.32-358.18.1.el6.i686 #1 SMP Fri Aug 2 17:10:27 EDT 2013 i686 i686 i386 GNU/Linux
> [myuser@myhost workdir]$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.4 (Santiago)
>
> I have observed the same behavior on RHEL 6.2 as well.
> https://www.redhat.com/mailman/listinfo/pam-list
Which PAM modules do you have configured in the PAM stack? Do you
observe the same behavior even with PAM stack containing a single:
auth required pam_permit.so
If not, you have to find out which PAM module causes the delay although
I suppose this can be multiple modules as PAM stack was not designed to
operate this way. You should always call pam_start() pam_authenticate()
and pam_end().
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list