[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: pam list size limit?



Getent shows the correct group entries, so I think PAM is still the problem.

 

I was able to reproduce the whole problem on local SLES9sp2 and SLES10sp1 systems

 

I created 4000 users named user1000-user4999 (uid1000-4999)

Users have a primary group of some other group, and the secondary group of "allowed"

 

Set up PAM as the following (obviously extremely basic):

 

/etc/security/access.conf

# allow root from anywhere

+:root:ALL

# the only non-root users allowed are in the group "allowed"

+:allowed:ALL

# disallow all other logins

-:ALL:ALL

 

/etc/pam.d/sshd

account     required      pam_access.so

 

On the SLES9sp2 system, I was able to put all 4000 users into the "allowed" group, and

all 4000 users were able log in with no problem.

 

I repeated the experiment on the SLES10sp1 system, and ran into a problem at user1962.

Not only does user1962 have problems, but ALL the users in the group fail. 

 

add users user1000-user1961 to "allowed" in /etc/group, see user1961 can log in (from the /var/log/messages file)

 

Feb  4 17:35:54 src blox sshd 26 [auth.info] sshd[21697]: Accepted keyboard-interactive/pam for user1961 from 172.30.31.44 port 23054 ssh2

 

add user1962 to group "allowed" & try to ssh user1962, then try to ssh user1961 (which just got in a minute before)

Feb  4 17:36:11 src blox sshd 53 [authpriv.err] sshd[21791]: pam_access(sshd:account): access denied for user `user1962\' from `iss-eth100.us.cray.com\'

Feb  4 17:36:11 src blox sshd 23 [auth.err] sshd[21789]: error: PAM: Permission denied for user1962 from iss-eth100.us.cray.com

Feb  4 17:36:27 src blox sshd 53 [authpriv.err] sshd[21816]: pam_access(sshd:account): access denied for user `user1961\' from `iss-eth100.us.cray.com\'

Feb  4 17:36:27 src blox sshd 23 [auth.err] sshd[21814]: error: PAM: Permission denied for user1961 from iss-eth100.us.cray.com

 

"grep allowed /etc/group" shows the whole line, including user1000-user1962

wendy blox:~> grep allowed /etc/group | wc -c

8682

"getent group allowed" shows the whole group entry, including user1000-user1962

wendy blox:~> getent group allowed | wc -c

8682

 

I can't find anything else having problems in the system.

I wondered if this might be related to some kind of side-effect of ksh changing over from pdksh to ksh, but I can't figure out how.

  It seems more like the build Novell did added some kind of limit that I can't find here.

 

From: pam-list-bounces redhat com [mailto:pam-list-bounces redhat com] On Behalf Of Jon Miller
Sent: Wednesday, January 28, 2009 7:38 PM
To: Pluggable Authentication Modules
Subject: Re: pam list size limit?

 

The 'getent' command is independent of any other operations occurring on your machine, so it is quite harmless to test. For example, logging into your machine and running "getent group root" should simply show you the 'root' group entry. Now substitute 'root' for your group name and see how many members you see.

You can have 'awk' count them for you. In the case of the 'root' group, I can issue the command "getent group root | awk -F, '{ print NF }'". See if the count is what you are expecting. If you are not getting the expected +2500 entries then you know it is not a PAM issue.

-- Jon Miller

2009/1/28 Wendy Palm <wendy cray com>

I can't test the getent command right now.  we have a workaround in place that I'd have to disengage to test it out.

 

I'm at SP1.  Pam version in SP1 is 0.99.6.3-28.8 and didn't change in sp2 – are there any specific packages you might recommend updating to sp2?  It's not feasible for me to wholesale change the whole system to sp2, so targeting packages for experimentation would be easier.

 

From: pam-list-bounces redhat com [mailto:pam-list-bounces redhat com] On Behalf Of Jon Miller
Sent: Wednesday, January 28, 2009 6:06 PM
To: Pluggable Authentication Modules
Subject: Re: pam list size limit?

 

Are you sure the issue is with pam_access? How many entries do you get when you run "getent group <grpname>" ?
Finally, what level SP are you at on your SLES10 machine? If you're not at SP2, you could try updating to that. I've found SP2 to have solved a lot of issues.

-- Jon Miller

2009/1/28 Wendy Palm <wendy cray com>

We have a site that uses pam to regulate user logins, and has a unix group in excess of 2500 user entries which is specified in the access.conf file.

 

They were running SLES9 (pam-0.77-221.4) and had no problems.  However, updating to SLES10 (pam-0.99.6.3-28.8), they are now having problems with the group list truncating at about 1100 user entries.

 

Was some default limit changed?  I checked the archives, but didn't see anything blatent announcing this.  I checked the ChangeLog in the source code and found an entry that is suspicious (2005-12-21  Tomas Mraz simplifying evaluate_ingroup), but again, nothing blatent.

 

What is the limit?  How can I change it (preferably without recompiling)?  Is this at all possible?

 

Thanks,

Wendy

 

 

 

---------------------------------

Wendy Palm

Security Software Engineer

wendy at cray dot com

 


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list

 


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list

 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]