Red Hat Bugzilla – Bug 1010249
pam_tally2/pam problem during simultaneous authentication
Last modified: 2013-12-02 12:03:01 EST
Created attachment 800445 [details]
authenticator source code
It's very similar to 455217. But "serialize" does not fully solve the issue.
Description of problem:
When one has defined "lock_time=1" into the PAM config file used for authentication, fast simultaneous authentication from two different processes fail randomly even though "serialize" is present in PAM config and username and password are correct.
Version-Release number of selected component (if applicable):
Put 10 authenticators running simultaneously in a tight loop each using the
same PAM config file. Use correct username and password.
Steps to Reproduce:
1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc)
2) copy files pam-test-1 & pam-test-2 to /etc/pam.d.
3) create a test user.
4) run ten instances in ten different terminals of: ./pam_authenticate
pam-test-1 test_user password
5) stop one or more of running ./pam_authenticate using CTRL+C
Sometimes on one of terminals with running ./pam_authenticate an error appears:
You have time limit [1s left] since last failure.
pam_authenticate: 7: Authentication failure
There should be no errors or failed authentications.
It's quite rare. But not difficult to reproduce. If stopping an authenticator doesn't cause a failure, run it one more time and stop a program in different terminal. Such action performed several times should reproduce the problem.
pam-test-2 is without lock_time=1 option - with this config pam works fine
Created attachment 800449 [details]
pam config which causes problems
Created attachment 800450 [details]
pam config without "lock_time=1"
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business