On Po, 2014-12-22 at 06:56 +0000, Minal Patil wrote: > Hello Tomas, > Really appreciate for your quick response on this. And apologies if I am asking repeated questions. > > I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same. > [myuser@myhost ~]$ cat /etc/pam.d/login > #%PAM-1.0 > auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so open should only be followed by sessions to be executed in the user context > session required pam_selinux.so open > session required pam_namespace.so > session optional pam_keyinit.so force revoke > session include system-auth > -session optional pam_ck_connector.so > Do you still recommend to recheck with only "auth required pam_permit.so" ? > To understand the API I was referring to the online documentation for linux-pam. (http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_authenticate) > > On the same page in "What can be expected by the application" under "3.1.1.1. DESCRIPTION" below is mentioned. > > The pam_handle_t is a blind structure and the application should not > attempt to probe it directly for information. Instead the PAM library > provides the functions pam_set_item(3) and pam_get_item(3). The PAM > handle cannot be used for mulitiple authentications at the same time > as long as pam_end was not called on it before. > To me this implies that if pam_end is not called the same handle can > be reused. Can you please reconfirm if the understanding is correct. The sentence you mention from the pam_start() documentation unfortunately does not make much sense and due to the double negative in it it seems to imply that you have to call pam_end() if you want to use the handle for multiple authentications. That is of course nonsense. As I said you should try to test the multiple authentications with a single handle with as simple PAM stack configuration as possible and add modules by one to test which module causes the delay. I do not think the library itself causes it but instead some modules do. In general it is not recommended to reuse the handle for multiple authentications because some PAM modules might not handle that gracefully and I do not know of any software that is part of the RHEL-6 that would reuse the handle for multiple authentications. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list