> On Oct 16, 2023, at 1:49 PM, Sam Hartman <hartmans@xxxxxxxxxx> wrote: > >>>>>> "Philip" == Philip Prindeville <philipp_subx@xxxxxxxxxxxxxxxxxxxxx> writes: > > Philip> Anyway, the YANG standards include statistics like > Philip> retransmits and timeouts for both... but we don't currently > Philip> support that. > > Are these useful for more than standards compliance? Sometimes it feels > like the IETF has a bit of a network-centric view, and I'll admit to > have rarely wanted statistics like this in my practical production > support days. It's useful for more than standards compliance, yes. It's handy for troubleshooting, performance measurement, site reliability engineering, etc. I'd like to be able to also count failed authentications, successful ones, total requests, etc. If you see a sudden ramp-up in failed authentications, for instance, it could be an indication of a dictionary attack. > Philip> What do the architects of PAM think about adding statistics > Philip> for remote authentication services? > > How would you propose to store this? > In some central file managed by the modules in question? > How would you handle locking/updating? Yeah, we'd either need to use explicit locking on the file, or maybe use a shared memory segment and a program to dump it readably. > I am not one of the architects of PAM, but I do follow it because I > maintain PAM in Debian. That's good too: more eyes on the problem. -Philip _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
