delay observed in pam_authenticate when called multiple times.

Tomas Mraz tmraz at redhat.com
Fri Jan 2 08:36:34 UTC 2015 

On Po, 2014-12-22 at 06:56 +0000, Minal Patil wrote:
> Hello Tomas,
> Really appreciate for your quick response on this.  And apologies if I am asking repeated questions.
> 
> I am seeing this behavior on default login service which come with RHEL 6.x installation. I have not modified the same. Below is the configuration for same.
> [myuser at myhost ~]$ cat /etc/pam.d/login
> #%PAM-1.0
> auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> session    optional     pam_console.so
> # pam_selinux.so open should only be followed by sessions to be executed in the user context
> session    required     pam_selinux.so open
> session    required     pam_namespace.so
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> -session   optional     pam_ck_connector.so
> Do you still recommend to recheck with only  "auth required pam_permit.so" ?
> To understand the API I was referring to the online documentation for linux-pam. (http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_authenticate)
> 
> On the same page in "What can be expected by the application" under  "3.1.1.1. DESCRIPTION"  below is mentioned.
> 
> The pam_handle_t is a blind structure and the application should not
> attempt to probe it directly for information. Instead the PAM library
> provides the functions pam_set_item(3) and pam_get_item(3). The PAM
> handle cannot be used for mulitiple authentications at the same time
> as long as pam_end was not called on it before. 

> To me this implies that if pam_end is not called the same handle can
> be reused. Can you please reconfirm if the understanding is correct.

The sentence you mention from the pam_start() documentation
unfortunately does not make much sense and due to the double negative in
it it seems to imply that you have to call pam_end() if you want to use
the handle for multiple authentications. That is of course nonsense. As
I said you should try to test the multiple authentications with a single
handle with as simple PAM stack configuration as possible and add
modules by one to test which module causes the delay. I do not think the
library itself causes it but instead some modules do. In general it is
not recommended to reuse the handle for multiple authentications because
some PAM modules might not handle that gracefully and I do not know of
any software that is part of the RHEL-6 that would reuse the handle for
multiple authentications.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

More information about the Pam-list mailing list