pam list size limit?

Wendy Palm wendy at cray.com
Wed Feb 4 23:56:52 UTC 2009 

Getent shows the correct group entries, so I think PAM is still the
problem.

 

I was able to reproduce the whole problem on local SLES9sp2 and
SLES10sp1 systems

 

I created 4000 users named user1000-user4999 (uid1000-4999)

Users have a primary group of some other group, and the secondary group
of "allowed"

 

Set up PAM as the following (obviously extremely basic):

 

/etc/security/access.conf 

# allow root from anywhere

+:root:ALL

# the only non-root users allowed are in the group "allowed"

+:allowed:ALL

# disallow all other logins

-:ALL:ALL

 

/etc/pam.d/sshd

account     required      pam_access.so

 

On the SLES9sp2 system, I was able to put all 4000 users into the
"allowed" group, and

all 4000 users were able log in with no problem.

 

I repeated the experiment on the SLES10sp1 system, and ran into a
problem at user1962.

Not only does user1962 have problems, but ALL the users in the group
fail.  

 

add users user1000-user1961 to "allowed" in /etc/group, see user1961 can
log in (from the /var/log/messages file)

 

Feb  4 17:35:54 src at blox sshd 26 [auth.info] sshd[21697]: Accepted
keyboard-interactive/pam for user1961 from 172.30.31.44 port 23054 ssh2

 

add user1962 to group "allowed" & try to ssh user1962, then try to ssh
user1961 (which just got in a minute before)

Feb  4 17:36:11 src at blox sshd 53 [authpriv.err] sshd[21791]:
pam_access(sshd:account): access denied for user `user1962\' from
`iss-eth100.us.cray.com\'

Feb  4 17:36:11 src at blox sshd 23 [auth.err] sshd[21789]: error: PAM:
Permission denied for user1962 from iss-eth100.us.cray.com

Feb  4 17:36:27 src at blox sshd 53 [authpriv.err] sshd[21816]:
pam_access(sshd:account): access denied for user `user1961\' from
`iss-eth100.us.cray.com\'

Feb  4 17:36:27 src at blox sshd 23 [auth.err] sshd[21814]: error: PAM:
Permission denied for user1961 from iss-eth100.us.cray.com

 

"grep allowed /etc/group" shows the whole line, including
user1000-user1962

wendy at blox:~> grep allowed /etc/group | wc -c

8682

"getent group allowed" shows the whole group entry, including
user1000-user1962

wendy at blox:~> getent group allowed | wc -c

8682

 

I can't find anything else having problems in the system.

I wondered if this might be related to some kind of side-effect of ksh
changing over from pdksh to ksh, but I can't figure out how.

  It seems more like the build Novell did added some kind of limit that
I can't find here.

 

From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
On Behalf Of Jon Miller
Sent: Wednesday, January 28, 2009 7:38 PM
To: Pluggable Authentication Modules
Subject: Re: pam list size limit?

 

The 'getent' command is independent of any other operations occurring on
your machine, so it is quite harmless to test. For example, logging into
your machine and running "getent group root" should simply show you the
'root' group entry. Now substitute 'root' for your group name and see
how many members you see. 

You can have 'awk' count them for you. In the case of the 'root' group,
I can issue the command "getent group root | awk -F, '{ print NF }'".
See if the count is what you are expecting. If you are not getting the
expected +2500 entries then you know it is not a PAM issue.

-- Jon Miller

2009/1/28 Wendy Palm <wendy at cray.com>

I can't test the getent command right now.  we have a workaround in
place that I'd have to disengage to test it out.

 

I'm at SP1.  Pam version in SP1 is 0.99.6.3-28.8 and didn't change in
sp2 - are there any specific packages you might recommend updating to
sp2?  It's not feasible for me to wholesale change the whole system to
sp2, so targeting packages for experimentation would be easier.

 

From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
On Behalf Of Jon Miller
Sent: Wednesday, January 28, 2009 6:06 PM
To: Pluggable Authentication Modules
Subject: Re: pam list size limit?

 

Are you sure the issue is with pam_access? How many entries do you get
when you run "getent group <grpname>" ?
Finally, what level SP are you at on your SLES10 machine? If you're not
at SP2, you could try updating to that. I've found SP2 to have solved a
lot of issues. 

-- Jon Miller

2009/1/28 Wendy Palm <wendy at cray.com>

We have a site that uses pam to regulate user logins, and has a unix
group in excess of 2500 user entries which is specified in the
access.conf file.

 

They were running SLES9 (pam-0.77-221.4) and had no problems.  However,
updating to SLES10 (pam-0.99.6.3-28.8), they are now having problems
with the group list truncating at about 1100 user entries.

 

Was some default limit changed?  I checked the archives, but didn't see
anything blatent announcing this.  I checked the ChangeLog in the source
code and found an entry that is suspicious (2005-12-21  Tomas Mraz
simplifying evaluate_ingroup), but again, nothing blatent.

 

What is the limit?  How can I change it (preferably without
recompiling)?  Is this at all possible?

 

Thanks,

Wendy

 

 

 

---------------------------------

Wendy Palm

Security Software Engineer

wendy at cray dot com

 


_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

 


_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20090204/d532baa1/attachment.htm>

More information about the Pam-list mailing list