Re: delay observed in pam_authenticate when called multiple times.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hello Tomas,

I would like to add one more thing. The account i was validating is a local account.

Thanks & Regards,
Pune | Mobile : +91 7350014029 | Mail : minalkpatil9@xxxxxxxxx

From: Minal Patil <minalk.patil@xxxxxxxxx>
To: Tomas Mraz <tmraz@xxxxxxxxxx>; Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Sent: Monday, 22 December 2014 12:26 PM
Subject: Re: delay observed in pam_authenticate when called multiple times.

Hello Tomas,

Really appreciate for your quick response on this.  And apologies if I am asking repeated questions.

I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same.

[myuser@myhost ~]$ cat /etc/pam.d/login
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
auth       include      system-auth
account    required
account    include      system-auth
password   include      system-auth
# close should be the first session rule
session    required close
session    required
session    optional
# open should only be followed by sessions to be executed in the user context
session    required open
session    required
session    optional force revoke
session    include      system-auth
-session   optional

Do you still recommend to recheck with only  "auth required" ?

To understand the API I was referring to the online documentation for linux-pam. (

On the same page in "What can be expected by the application" under  " DESCRIPTION"  below is mentioned.

The pam_handle_t is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions pam_set_item(3) and pam_get_item(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as pam_end was not called on it before.

To me this implies that if pam_end is not called the same handle can be reused. Can you please reconfirm if the understanding is correct.


Thanks & Regards,

From: Tomas Mraz <tmraz@xxxxxxxxxx>
To: Minal Patil <minalk.patil@xxxxxxxxx>; Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Sent: Friday, 19 December 2014 5:01 PM
Subject: Re: delay observed in pam_authenticate when called multiple times.

On Pá, 2014-12-19 at 09:06 +0000, Minal Patil wrote:

> Hello Sir/Madam,
> I am working on a PAM authentication module where i am seeing delay in pam_authenticate when called in sucessive manner.Below is my PAM function call sequence.
> pam_start()
> ...
> 1. pam_authenticate()
> 2. pam_authenticate()
> 3. pam_authenticate()
> 4. pam_authenticate()
> ....
> 1000.pam_authenticate()
> ....
> pam_end()
> It is observed that the first pam_authenticate responds with 40 ms. The response time goes up with every subsequent pam_authenticate call. for 1000 the call the response time is observed to be 2 seconds.
> Below are my system details:
> [myuser@myhost workdir]$ ls -l /lib/libpam*
> lrwxrwxrwx. 1 root root    17 Oct 18  2013 /lib/ ->
> -rwxr-xr-x. 1 root root 13764 Oct 15  2012 /lib/
> lrwxrwxrwx. 1 root root    21 Oct 18  2013 /lib/ ->
> -rwxr-xr-x. 1 root root 11460 Oct 15  2012 /lib/
> lrwxrwxrwx. 1 root root    16 Oct 18  2013 /lib/ ->
> -rwxr-xr-x. 1 root root 52540 Oct 15  2012 /lib/
> [myuser@myhost workdir]$ uname -a
> Linux myhost 2.6.32-358.18.1.el6.i686 #1 SMP Fri Aug 2 17:10:27 EDT 2013 i686 i686 i386 GNU/Linux
> [myuser@myhost workdir]$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.4 (Santiago)
> I have observed the same behavior on RHEL 6.2 as well.


Which PAM modules do you have configured in the PAM stack? Do you
observe the same behavior even with PAM stack containing a single:

auth required

If not, you have to find out which PAM module causes the delay although
I suppose this can be multiple modules as PAM stack was not designed to
operate this way. You should always call pam_start() pam_authenticate()
and pam_end().

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux