Re: delay observed in pam_authenticate when called multiple times.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Po, 2014-12-22 at 06:56 +0000, Minal Patil wrote:
> Hello Tomas,
> Really appreciate for your quick response on this.  And apologies if I am asking repeated questions.
> I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same.
> [myuser@myhost ~]$ cat /etc/pam.d/login
> #%PAM-1.0
> auth [user_unknown=ignore success=ok ignore=ignore default=bad]
> auth       include      system-auth
> account    required
> account    include      system-auth
> password   include      system-auth
> # close should be the first session rule
> session    required close
> session    required
> session    optional
> # open should only be followed by sessions to be executed in the user context
> session    required open
> session    required
> session    optional force revoke
> session    include      system-auth
> -session   optional
> Do you still recommend to recheck with only  "auth required" ?
> To understand the API I was referring to the online documentation for linux-pam. (
> On the same page in "What can be expected by the application" under  " DESCRIPTION"  below is mentioned.
> The pam_handle_t is a blind structure and the application should not
> attempt to probe it directly for information. Instead the PAM library
> provides the functions pam_set_item(3) and pam_get_item(3). The PAM
> handle cannot be used for mulitiple authentications at the same time
> as long as pam_end was not called on it before. 

> To me this implies that if pam_end is not called the same handle can
> be reused. Can you please reconfirm if the understanding is correct.

The sentence you mention from the pam_start() documentation
unfortunately does not make much sense and due to the double negative in
it it seems to imply that you have to call pam_end() if you want to use
the handle for multiple authentications. That is of course nonsense. As
I said you should try to test the multiple authentications with a single
handle with as simple PAM stack configuration as possible and add
modules by one to test which module causes the delay. I do not think the
library itself causes it but instead some modules do. In general it is
not recommended to reuse the handle for multiple authentications because
some PAM modules might not handle that gracefully and I do not know of
any software that is part of the RHEL-6 that would reuse the handle for
multiple authentications.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux