Re: delay observed in pam_authenticate when called multiple times.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hello Tomas,

Really appreciate for your quick response on this.  And apologies if I am asking repeated questions.

I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same.

[myuser@myhost ~]$ cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

Do you still recommend to recheck with only  "auth required pam_permit.so" ?

To understand the API I was referring to the online documentation for linux-pam. (http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_authenticate)

On the same page in "What can be expected by the application" under  "3.1.1.1. DESCRIPTION"  below is mentioned.

The pam_handle_t is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions pam_set_item(3) and pam_get_item(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as pam_end was not called on it before.

To me this implies that if pam_end is not called the same handle can be reused. Can you please reconfirm if the understanding is correct.
 

Thanks & Regards,
 
MINAL PATIL





From: Tomas Mraz <tmraz@xxxxxxxxxx>
To: Minal Patil <minalk.patil@xxxxxxxxx>; Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Sent: Friday, 19 December 2014 5:01 PM
Subject: Re: delay observed in pam_authenticate when called multiple times.

On Pá, 2014-12-19 at 09:06 +0000, Minal Patil wrote:



> Hello Sir/Madam,
> I am working on a PAM authentication module where i am seeing delay in pam_authenticate when called in sucessive manner.Below is my PAM function call sequence.
> pam_start()
> ...
> 1. pam_authenticate()
> 2. pam_authenticate()
> 3. pam_authenticate()
>
> 4. pam_authenticate()
>
> ....
>
> 1000.pam_authenticate()
> ....
> pam_end()
>
> It is observed that the first pam_authenticate responds with 40 ms. The response time goes up with every subsequent pam_authenticate call. for 1000 the call the response time is observed to be 2 seconds.
>
> Below are my system details:
>
> [myuser@myhost workdir]$ ls -l /lib/libpam*
> lrwxrwxrwx. 1 root root    17 Oct 18  2013 /lib/libpamc.so.0 -> libpamc.so.0.82.1
> -rwxr-xr-x. 1 root root 13764 Oct 15  2012 /lib/libpamc.so.0.82.1
> lrwxrwxrwx. 1 root root    21 Oct 18  2013 /lib/libpam_misc.so.0 -> libpam_misc.so.0.82.0
> -rwxr-xr-x. 1 root root 11460 Oct 15  2012 /lib/libpam_misc.so.0.82.0
> lrwxrwxrwx. 1 root root    16 Oct 18  2013 /lib/libpam.so.0 -> libpam.so.0.82.2
> -rwxr-xr-x. 1 root root 52540 Oct 15  2012 /lib/libpam.so.0.82.2
> [myuser@myhost workdir]$ uname -a
> Linux myhost 2.6.32-358.18.1.el6.i686 #1 SMP Fri Aug 2 17:10:27 EDT 2013 i686 i686 i386 GNU/Linux
> [myuser@myhost workdir]$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.4 (Santiago)
>
> I have observed the same behavior on RHEL 6.2 as well.

> https://www.redhat.com/mailman/listinfo/pam-list

Which PAM modules do you have configured in the PAM stack? Do you
observe the same behavior even with PAM stack containing a single:

auth required pam_permit.so

If not, you have to find out which PAM module causes the delay although
I suppose this can be multiple modules as PAM stack was not designed to
operate this way. You should always call pam_start() pam_authenticate()
and pam_end().

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)







_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux