increasing the 'auth' attempts allowed by pam_unix
Gagan Sidhu
broly at mac.com
Wed Feb 20 18:00:55 UTC 2019
Hello everyone,
as a follow up, this was my /etc/pam.d/httpd file for the below issue:
> auth required pam_unix.so nullok try_first_pass
> account required pam_unix.so
> password required pam_unix.so
now, if i change this file to, say:
> auth required pam_rootok.so
> account required pam_unix.so
> password required pam_unix.so
or anything where “pam_rootok.so” is the first module (that will succeed, as this daemon is run as root), then the below goes away.
so it is definitely something to do with PAM throttling successful authorisations, as the rootok module will force the user to login once, but never again.
to contrast both situations:
-for the first /etc/pam.d/httpd file
-if you invoke passwd from command line as root and change the password, the webpanel will (within a few seconds) request you login again.
-for the second /etc/pam.d/httpd file (with rootok.so as the first module)
-if you invoke passwd from command line as root and change the password, the webpanel DOES NOT request that you login again.
if you could provide any insight to say, maybe invoking pam_rootok.so after authorising successfully, i’d be grateful. i’ve tried the following:
> auth required pam_env.so
> account required pam_unix.so
> auth required pam_unix.so nullok
> account required pam_rootok.so
> password required pam_unix.so
>
but it has not yielded a different outcome (when compared to the first /etc/pam.d/httpd file).
Thanks,
Gagan
> On Feb 14, 2019, at 1:37 PM, Gagan Sidhu <broly at mac.com> wrote:
>
> hello.
>
> First of all, my original inquiry is here: https://www.redhat.com/archives/pam-list/2018-May/msg00004.html
>
> I think the issue is that the httpd daemon is “hammering” pam with too many “auths”, and thus when it begins to spit out
>
>> May 22 18:31:32 DD-WRT httpd[536]: pam_unix(httpd:auth): auth could not identify password for [root]
>> May 22 18:31:32 DD-WRT httpd[536]: pam_unix(httpd:auth): auth could not identify password for [root]
>
> follwoed by
>
>> May 22 18:31:32 DD-WRT : Caught SIGSEGV (11) sent by kernel in ???
>> May 22 18:31:32 DD-WRT : Thread 2373: httpd
>> May 22 18:31:32 DD-WRT : === Context:
>> May 22 18:31:32 DD-WRT : ZERO:00000000 AT:00000001 V0:00000000 V1:00000001 A0:6677656e A1:00000001
>> May 22 18:31:32 DD-WRT : A2:00000010 A3:74600471 T0:00000001 T1:00000fa6 T2:00000000 T3:006e7275
>> May 22 18:31:32 DD-WRT : T4:76dbae28 T5:77c28020 T6:004400b0 T7:746005b8 S0:746004b0 S1:77adda30
>> May 22 18:31:32 DD-WRT : S2:746005b0 S3:74600470 S4:76dbb920 S5:00000000 S6:00409804 S7:76dbb920
>> May 22 18:31:32 DD-WRT : T8:00000000 T9:77ad90e8 K0:7460049b K1:00000000 GP:77bf7e20 SP:76dbaee8
>> May 22 18:31:32 DD-WRT : FP:76dbaf40 RA:77bb4484
>> May 22 18:31:32 DD-WRT : === Backtrace:
>> May 22 18:31:32 DD-WRT : # [0x77bb442c]: ra offset 44
>> May 22 18:31:32 DD-WRT : # [0x77bb4418]: stack size 48
>> May 22 18:31:32 DD-WRT : # [0x77bb45e8]: ra offset 36
>> May 22 18:31:32 DD-WRT : # [0x77bb45d0]: stack size 40
>> May 22 18:31:32 DD-WRT : # [0x77bfbb54]: ra offset 172
>> May 22 18:31:32 DD-WRT : # [0x77bfbb28]: stack size 176
>> May 22 18:31:32 DD-WRT : # [0x77b5768c]: stack size 32
>> May 22 18:31:32 DD-WRT : # [0x77b57678]: stack size 32
>> May 22 18:31:32 DD-WRT : # [0x77b5761c]: stack size 32
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](+0x00160474)[0x77bb4474]
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](__libc_thread_freeres+0x00000058)[0x77bb461c]
>> May 22 18:31:32 DD-WRT : /lib/libpthread.so.0[0x77bf5000](+0x00006c84)[0x77bfbc84]
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](+0x001036ac)[0x77b576ac]
>> May 22 18:31:32 DD-WRT : ???(+0)[0x77f9b030]
>> May 22 18:31:32 DD-WRT : === Code:
>> May 22 18:31:32 DD-WRT : 77bb4434: afb10020 afb0001c 1260001c 26700040 00602025 8f8394f0 ac400000 00641821
>> May 22 18:31:32 DD-WRT : 77bb4454: 24020001 8f9187ec a0620000 26720140 8e040000 00000000 10800009 00000000
>> May 22 18:31:32 DD-WRT : 77bb4474: >8c820000 0220c825 0320f809 ae020000 8e040000 00000000 1480fff9 00000000
>> May 22 18:31:32 DD-WRT : 77bb4494: 26100004 1650fff2 0220c825 0320f809 02602025 8fbc0010 00000000 8f8294e8
>> May 22 18:31:32 DD-WRT : Caught SIGABRT (6) sent by tkill
>> May 22 18:31:32 DD-WRT : Thread 2374: httpd
>> May 22 18:31:32 DD-WRT : === Context:
>> May 22 18:31:32 DD-WRT : ZERO:00000000 AT:00000001 V0:00000000 V1:74ffec00 A0:00000003 A1:74ffec00
>> May 22 18:31:32 DD-WRT : A2:00000000 A3:00000000 T0:00000000 T1:00000401 T2:00000001 T3:77fa7000
>> May 22 18:31:32 DD-WRT : T4:00002000 T5:fffffffc T6:00100000 T7:00001072 S0:00000000 S1:74ffec00
>> May 22 18:31:32 DD-WRT : S2:77bf4000 S3:00000010 S4:77ae4c70 S5:77f9a000 S6:00000002 S7:00000002
>> May 22 18:31:32 DD-WRT : T8:77abf088 T9:77a85fb0 K0:00000010 K1:00000000 GP:77bf7e20 SP:74ffeb78
>> May 22 18:31:32 DD-WRT : FP:74ffee10 RA:77a87754
>> May 22 18:31:32 DD-WRT : === Backtrace:
>> May 22 18:31:32 DD-WRT : # [0x77a85fc0]: stack size 272
>> May 22 18:31:32 DD-WRT : # [0x77a875e4]: ra offset 316
>> May 22 18:31:32 DD-WRT : # [0x77a875dc]: stack size 320
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](gsignal+0x000000d0)[0x77a86080]
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](abort+0x00000184)[0x77a87754]
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](__libc_fatal+0x00000000)[0x77ace564]
>> May 22 18:31:32 DD-WRT : /usr/lib/libutils.so[0x77c7f000](+0x00014b74)[0x77c93b74]
>> May 22 18:31:32 DD-WRT : === Code:
>> May 22 18:31:32 DD-WRT : 77a86040: 0000000c 00402025 2402107e 0000000c 00402825 02003025 240210aa 0000000c
>> May 22 18:31:32 DD-WRT : 77a86060: 14e0000c 00408025 24040003 02202825 00003025 24070010 24021063 0000000c
>> May 22 18:31:32 DD-WRT : 77a86080: >02001025 8fb1010c 8fb00108 03e00008 27bd0110 8f8294d8 7c03e83b 00431021
>> May 22 18:31:32 DD-WRT : 77a860a0: ac500000 1000fff0 2410ffff 00000000 3c1c0017 279c1d70 0399e021 04800005
>> May 22 18:31:32 DD-WRT : Caught SIGABRT (6) sent by tkill
>> May 22 18:31:32 DD-WRT : Thread 2370: httpd
>> May 22 18:31:32 DD-WRT : === Context:
>> May 22 18:31:32 DD-WRT : ZERO:00000000 AT:00000001 V0:00000000 V1:7789fc00 A0:00000003 A1:7789fc00
>> May 22 18:31:32 DD-WRT : A2:00000000 A3:00000000 T0:00000000 T1:00000401 T2:77f99000 T3:77fa7000
>> May 22 18:31:32 DD-WRT : T4:00002000 T5:fffffffc T6:00100000 T7:00001072 S0:00000000 S1:7789fc00
>> May 22 18:31:32 DD-WRT : S2:77bf4000 S3:00000010 S4:77ae4c70 S5:77f99000 S6:00000002 S7:00000002
>> May 22 18:31:32 DD-WRT : T8:77abf088 T9:77a85fb0 K0:00000010 K1:00000000 GP:77bf7e20 SP:7789fb78
>> May 22 18:31:32 DD-WRT : FP:7789fe10 RA:77a87754
>> May 22 18:31:32 DD-WRT : === Backtrace:
>> May 22 18:31:32 DD-WRT : # [0x77a85fc0]: stack size 272
>> May 22 18:31:32 DD-WRT : # [0x77a875e4]: ra offset 316
>> May 22 18:31:32 DD-WRT : # [0x77a875dc]: stack size 320
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](gsignal+0x000000d0)[0x77a86080]
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](abort+0x00000184)[0x77a87754]
>> May 22 18:31:32 DD-WRT : /lib/libc.so.6[0x77a54000](__libc_fatal+0x00000000)[0x77ace564]
>> May 22 18:31:32 DD-WRT : /usr/lib/libutils.so[0x77c7f000](+0x00014b74)[0x77c93b74]
>> May 22 18:31:32 DD-WRT : === Code:
>> May 22 18:31:32 DD-WRT : 77a86040: 0000000c 00402025 2402107e 0000000c 00402825 02003025 240210aa 0000000c
>> May 22 18:31:32 DD-WRT : 77a86060: 14e0000c 00408025 24040003 02202825 00003025 24070010 24021063 0000000c
>> May 22 18:31:32 DD-WRT : 77a86080: >02001025 8fb1010c 8fb00108 03e00008 27bd0110 8f8294d8 7c03e83b 00431021
>> May 22 18:31:32 DD-WRT : 77a860a0: ac500000 1000fff0 2410ffff 00000000 3c1c0017 279c1d70 0399e021 04800005
>>
>
> that it’s a result of too many ‘auth’ requests being sent to PAM, which eventually has the module return “could not identify password for [user]”.
>
> My question is: is there a way to increase the number of auth attempts for this program? This specific page is trying to query 18-20 interfaces and then render their activity via SVG.
> -even though I’m only using one of the interfaces, the UI will draw all 18-20 anyways, so I suspect the daemon’s voluminous attempts (due to the SVG being a plot that’s updated constantly) results in this error, as some kind of throttling.
>
> any tips?
>
> Thanks,
> Gagan
>
>
>
>
More information about the Pam-list
mailing list