Re: increasing the 'auth' attempts allowed by pam_unix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello everyone,

as a follow up, this was my /etc/pam.d/httpd file for the below issue:

> auth        required    pam_unix.so nullok try_first_pass
> account     required    pam_unix.so
> password    required    pam_unix.so 


now, if i change this file to, say:

> auth        required    pam_rootok.so
> account     required    pam_unix.so
> password    required    pam_unix.so 

or anything where “pam_rootok.so” is the first module (that will succeed, as this daemon is run as root), then the below goes away.

so it is definitely something to do with PAM throttling successful authorisations, as the rootok module will force the user to login once, but never again.

to contrast both situations:
	-for the first /etc/pam.d/httpd file
		-if you invoke passwd from command line as root and change the password, the webpanel will (within a few seconds) request you login again.
	-for the second /etc/pam.d/httpd file (with rootok.so as the first module)
		-if you invoke passwd from command line as root and change the password, the webpanel DOES NOT request that you login again.

if you could provide any insight to say, maybe invoking pam_rootok.so after authorising successfully, i’d be grateful. i’ve tried the following:

> auth        required    pam_env.so
> account     required    pam_unix.so
> auth        required    pam_unix.so nullok 
> account        required    pam_rootok.so
> password    required    pam_unix.so 
> 

but it has not yielded a different outcome (when compared to the first /etc/pam.d/httpd file).

Thanks,
Gagan




> On Feb 14, 2019, at 1:37 PM, Gagan Sidhu <broly@xxxxxxx> wrote:
> 
> hello.
> 
> First of all, my original inquiry is here: https://www.redhat.com/archives/pam-list/2018-May/msg00004.html
> 
> I think the issue is that the httpd daemon is “hammering” pam with too many “auths”, and thus when it begins to spit out
> 
>> May 22 18:31:32 DD-WRT httpd[536]: pam_unix(httpd:auth): auth could not identify password for [root]
>> May 22 18:31:32 DD-WRT httpd[536]: pam_unix(httpd:auth): auth could not identify password for [root]
> 
> follwoed by
> 
>> May 22 18:31:32 DD-WRT : Caught SIGSEGV (11) sent by kernel in ??? 
>> May 22 18:31:32 DD-WRT : Thread 2373: httpd 
>> May 22 18:31:32 DD-WRT : === Context: 
>> May 22 18:31:32 DD-WRT : ZERO:00000000   AT:00000001   V0:00000000   V1:00000001   A0:6677656e   A1:00000001 
>> May 22 18:31:32 DD-WRT :   A2:00000010   A3:74600471   T0:00000001   T1:00000fa6   T2:00000000   T3:006e7275 
>> May 22 18:31:32 DD-WRT :   T4:76dbae28   T5:77c28020   T6:004400b0   T7:746005b8   S0:746004b0   S1:77adda30 
>> May 22 18:31:32 DD-WRT :   S2:746005b0   S3:74600470   S4:76dbb920   S5:00000000   S6:00409804   S7:76dbb920 
>> May 22 18:31:32 DD-WRT :   T8:00000000   T9:77ad90e8   K0:7460049b   K1:00000000   GP:77bf7e20   SP:76dbaee8 
>> May 22 18:31:32 DD-WRT :   FP:76dbaf40   RA:77bb4484 
>> May 22 18:31:32 DD-WRT : === Backtrace: 
>> May 22 18:31:32 DD-WRT : # [0x77bb442c]: ra offset 44 
>> May 22 18:31:32 DD-WRT : # [0x77bb4418]: stack size 48 
>> May 22 18:31:32 DD-WRT : # [0x77bb45e8]: ra offset 36 
>> May 22 18:31:32 DD-WRT : # [0x77bb45d0]: stack size 40 
>> May 22 18:31:32 DD-WRT : # [0x77bfbb54]: ra offset 172 
>> May 22 18:31:32 DD-WRT : # [0x77bfbb28]: stack size 176 
>> May 22 18:31:32 DD-WRT : # [0x77b5768c]: stack size 32 
>> May 22 18:31:32 DD-WRT : # [0x77b57678]: stack size 32 
>> May 22 18:31:32 DD-WRT : # [0x77b5761c]: stack size 32 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](+0x00160474)[0x77bb4474] 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](__libc_thread_freeres+0x00000058)[0x77bb461c] 
>> May 22 18:31:32 DD-WRT : /lib/libpthread.so.0[0x77bf5000](+0x00006c84)[0x77bfbc84] 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](+0x001036ac)[0x77b576ac] 
>> May 22 18:31:32 DD-WRT : ???(+0)[0x77f9b030] 
>> May 22 18:31:32 DD-WRT : === Code: 
>> May 22 18:31:32 DD-WRT : 77bb4434:  afb10020 afb0001c 1260001c 26700040 00602025 8f8394f0 ac400000 00641821 
>> May 22 18:31:32 DD-WRT : 77bb4454:  24020001 8f9187ec a0620000 26720140 8e040000 00000000 10800009 00000000 
>> May 22 18:31:32 DD-WRT : 77bb4474: >8c820000 0220c825 0320f809 ae020000 8e040000 00000000 1480fff9 00000000 
>> May 22 18:31:32 DD-WRT : 77bb4494:  26100004 1650fff2 0220c825 0320f809 02602025 8fbc0010 00000000 8f8294e8 
>> May 22 18:31:32 DD-WRT : Caught SIGABRT (6) sent by tkill 
>> May 22 18:31:32 DD-WRT : Thread 2374: httpd 
>> May 22 18:31:32 DD-WRT : === Context: 
>> May 22 18:31:32 DD-WRT : ZERO:00000000   AT:00000001   V0:00000000   V1:74ffec00   A0:00000003   A1:74ffec00 
>> May 22 18:31:32 DD-WRT :   A2:00000000   A3:00000000   T0:00000000   T1:00000401   T2:00000001   T3:77fa7000 
>> May 22 18:31:32 DD-WRT :   T4:00002000   T5:fffffffc   T6:00100000   T7:00001072   S0:00000000   S1:74ffec00 
>> May 22 18:31:32 DD-WRT :   S2:77bf4000   S3:00000010   S4:77ae4c70   S5:77f9a000   S6:00000002   S7:00000002 
>> May 22 18:31:32 DD-WRT :   T8:77abf088   T9:77a85fb0   K0:00000010   K1:00000000   GP:77bf7e20   SP:74ffeb78 
>> May 22 18:31:32 DD-WRT :   FP:74ffee10   RA:77a87754 
>> May 22 18:31:32 DD-WRT : === Backtrace: 
>> May 22 18:31:32 DD-WRT : # [0x77a85fc0]: stack size 272 
>> May 22 18:31:32 DD-WRT : # [0x77a875e4]: ra offset 316 
>> May 22 18:31:32 DD-WRT : # [0x77a875dc]: stack size 320 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](gsignal+0x000000d0)[0x77a86080] 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](abort+0x00000184)[0x77a87754] 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](__libc_fatal+0x00000000)[0x77ace564] 
>> May 22 18:31:32 DD-WRT : /usr/lib/libutils.so[0x77c7f000](+0x00014b74)[0x77c93b74] 
>> May 22 18:31:32 DD-WRT : === Code: 
>> May 22 18:31:32 DD-WRT : 77a86040:  0000000c 00402025 2402107e 0000000c 00402825 02003025 240210aa 0000000c 
>> May 22 18:31:32 DD-WRT : 77a86060:  14e0000c 00408025 24040003 02202825 00003025 24070010 24021063 0000000c 
>> May 22 18:31:32 DD-WRT : 77a86080: >02001025 8fb1010c 8fb00108 03e00008 27bd0110 8f8294d8 7c03e83b 00431021 
>> May 22 18:31:32 DD-WRT : 77a860a0:  ac500000 1000fff0 2410ffff 00000000 3c1c0017 279c1d70 0399e021 04800005 
>> May 22 18:31:32 DD-WRT : Caught SIGABRT (6) sent by tkill 
>> May 22 18:31:32 DD-WRT : Thread 2370: httpd 
>> May 22 18:31:32 DD-WRT : === Context: 
>> May 22 18:31:32 DD-WRT : ZERO:00000000   AT:00000001   V0:00000000   V1:7789fc00   A0:00000003   A1:7789fc00 
>> May 22 18:31:32 DD-WRT :   A2:00000000   A3:00000000   T0:00000000   T1:00000401   T2:77f99000   T3:77fa7000 
>> May 22 18:31:32 DD-WRT :   T4:00002000   T5:fffffffc   T6:00100000   T7:00001072   S0:00000000   S1:7789fc00 
>> May 22 18:31:32 DD-WRT :   S2:77bf4000   S3:00000010   S4:77ae4c70   S5:77f99000   S6:00000002   S7:00000002 
>> May 22 18:31:32 DD-WRT :   T8:77abf088   T9:77a85fb0   K0:00000010   K1:00000000   GP:77bf7e20   SP:7789fb78 
>> May 22 18:31:32 DD-WRT :   FP:7789fe10   RA:77a87754 
>> May 22 18:31:32 DD-WRT : === Backtrace: 
>> May 22 18:31:32 DD-WRT : # [0x77a85fc0]: stack size 272 
>> May 22 18:31:32 DD-WRT : # [0x77a875e4]: ra offset 316 
>> May 22 18:31:32 DD-WRT : # [0x77a875dc]: stack size 320 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](gsignal+0x000000d0)[0x77a86080] 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](abort+0x00000184)[0x77a87754] 
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](__libc_fatal+0x00000000)[0x77ace564] 
>> May 22 18:31:32 DD-WRT : /usr/lib/libutils.so[0x77c7f000](+0x00014b74)[0x77c93b74] 
>> May 22 18:31:32 DD-WRT : === Code: 
>> May 22 18:31:32 DD-WRT : 77a86040:  0000000c 00402025 2402107e 0000000c 00402825 02003025 240210aa 0000000c 
>> May 22 18:31:32 DD-WRT : 77a86060:  14e0000c 00408025 24040003 02202825 00003025 24070010 24021063 0000000c 
>> May 22 18:31:32 DD-WRT : 77a86080: >02001025 8fb1010c 8fb00108 03e00008 27bd0110 8f8294d8 7c03e83b 00431021 
>> May 22 18:31:32 DD-WRT : 77a860a0:  ac500000 1000fff0 2410ffff 00000000 3c1c0017 279c1d70 0399e021 04800005 
>> 
> 
> that it’s a result of too many ‘auth’ requests being sent to PAM, which eventually has the module return “could not identify password for [user]”.
> 
> My question is: is there a way to increase the number of auth attempts for this program? This specific page is trying to query 18-20 interfaces and then render their activity via SVG.
> 	-even though I’m only using one of the interfaces, the UI will draw all 18-20 anyways, so I suspect the daemon’s voluminous attempts (due to the SVG being a plot that’s updated constantly) results in this error, as some kind of throttling.
> 
> any tips? 
> 
> Thanks,
> Gagan
> 
> 
> 
> 



_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux