Bug 1010249
| Summary: | pam_tally2/pam problem during simultaneous authentication | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Rafal Juszkiewicz <dzozo> | ||||||||
| Component: | pam | Assignee: | Tomas Mraz <tmraz> | ||||||||
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 5.9 | ||||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2013-12-02 17:03:01 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 800449 [details]
pam config which causes problems
Created attachment 800450 [details]
pam config without "lock_time=1"
This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 5, and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification. |
Created attachment 800445 [details] authenticator source code It's very similar to 455217. But "serialize" does not fully solve the issue. Description of problem: When one has defined "lock_time=1" into the PAM config file used for authentication, fast simultaneous authentication from two different processes fail randomly even though "serialize" is present in PAM config and username and password are correct. Version-Release number of selected component (if applicable): pam-0.99.6.2-6.el5_5.2 How reproducible: Put 10 authenticators running simultaneously in a tight loop each using the same PAM config file. Use correct username and password. Steps to Reproduce: 1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc) 2) copy files pam-test-1 & pam-test-2 to /etc/pam.d. 3) create a test user. 4) run ten instances in ten different terminals of: ./pam_authenticate pam-test-1 test_user password 5) stop one or more of running ./pam_authenticate using CTRL+C Actual results: Sometimes on one of terminals with running ./pam_authenticate an error appears: You have time limit [1s left] since last failure. pam_authenticate: 7: Authentication failure Expected results: There should be no errors or failed authentications. Additional info: It's quite rare. But not difficult to reproduce. If stopping an authenticator doesn't cause a failure, run it one more time and stop a program in different terminal. Such action performed several times should reproduce the problem. pam-test-2 is without lock_time=1 option - with this config pam works fine