delay observed in pam_authenticate when called multiple times.

Minal Patil minalk.patil at yahoo.com
Mon Dec 22 06:56:08 UTC 2014 

Hello Tomas,
Really appreciate for your quick response on this.  And apologies if I am asking repeated questions.

I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same.
[myuser at myhost ~]$ cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so
Do you still recommend to recheck with only  "auth required pam_permit.so" ?
To understand the API I was referring to the online documentation for linux-pam. (http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_authenticate)

On the same page in "What can be expected by the application" under  "3.1.1.1. DESCRIPTION"  below is mentioned.

The pam_handle_t is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions pam_set_item(3) and pam_get_item(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as pam_end was not called on it before. 
To me this implies that if pam_end is not called the same handle can be reused. Can you please reconfirm if the understanding is correct.
 
Thanks & Regards, 
MINAL PATIL


 

     From: Tomas Mraz <tmraz at redhat.com>
 To: Minal Patil <minalk.patil at yahoo.com>; Pluggable Authentication Modules <pam-list at redhat.com> 
 Sent: Friday, 19 December 2014 5:01 PM
 Subject: Re: delay observed in pam_authenticate when called multiple times.
   
On Pá, 2014-12-19 at 09:06 +0000, Minal Patil wrote:


> Hello Sir/Madam,
> I am working on a PAM authentication module where i am seeing delay in pam_authenticate when called in sucessive manner.Below is my PAM function call sequence.
> pam_start()
> ...
> 1. pam_authenticate()
> 2. pam_authenticate()
> 3. pam_authenticate()
> 
> 4. pam_authenticate()
> 
> ....
> 
> 1000.pam_authenticate()
> ....
> pam_end()
> 
> It is observed that the first pam_authenticate responds with 40 ms. The response time goes up with every subsequent pam_authenticate call. for 1000 the call the response time is observed to be 2 seconds.
> 
> Below are my system details:
> 
> [myuser at myhost workdir]$ ls -l /lib/libpam*
> lrwxrwxrwx. 1 root root    17 Oct 18  2013 /lib/libpamc.so.0 -> libpamc.so.0.82.1
> -rwxr-xr-x. 1 root root 13764 Oct 15  2012 /lib/libpamc.so.0.82.1
> lrwxrwxrwx. 1 root root    21 Oct 18  2013 /lib/libpam_misc.so.0 -> libpam_misc.so.0.82.0
> -rwxr-xr-x. 1 root root 11460 Oct 15  2012 /lib/libpam_misc.so.0.82.0
> lrwxrwxrwx. 1 root root    16 Oct 18  2013 /lib/libpam.so.0 -> libpam.so.0.82.2
> -rwxr-xr-x. 1 root root 52540 Oct 15  2012 /lib/libpam.so.0.82.2
> [myuser at myhost workdir]$ uname -a
> Linux myhost 2.6.32-358.18.1.el6.i686 #1 SMP Fri Aug 2 17:10:27 EDT 2013 i686 i686 i386 GNU/Linux
> [myuser at myhost workdir]$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.4 (Santiago)
> 
> I have observed the same behavior on RHEL 6.2 as well. 
> https://www.redhat.com/mailman/listinfo/pam-list

Which PAM modules do you have configured in the PAM stack? Do you
observe the same behavior even with PAM stack containing a single:

auth required pam_permit.so

If not, you have to find out which PAM module causes the delay although
I suppose this can be multiple modules as PAM stack was not designed to
operate this way. You should always call pam_start() pam_authenticate()
and pam_end().

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)




   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20141222/426c6738/attachment.htm>

More information about the Pam-list mailing list