Bug 1010249 - pam_tally2/pam problem during simultaneous authentication
pam_tally2/pam problem during simultaneous authentication
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-09-20 07:24 EDT by Rafal Juszkiewicz
Modified: 2013-12-02 12:03 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-02 12:03:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
authenticator source code (3.75 KB, text/x-csrc)
2013-09-20 07:24 EDT, Rafal Juszkiewicz
no flags Details
pam config which causes problems (268 bytes, text/plain)
2013-09-20 07:25 EDT, Rafal Juszkiewicz
no flags Details
pam config without "lock_time=1" (256 bytes, text/plain)
2013-09-20 07:27 EDT, Rafal Juszkiewicz
no flags Details

  None (edit)
Description Rafal Juszkiewicz 2013-09-20 07:24:19 EDT
Created attachment 800445 [details]
authenticator source code

It's very similar to 455217. But "serialize" does not fully solve the issue.

Description of problem:

  When one has defined "lock_time=1" into the PAM config file used for authentication, fast simultaneous authentication from two different processes fail randomly even though "serialize" is present in PAM config and username and password are correct.

Version-Release number of selected component (if applicable):


How reproducible:

  Put 10 authenticators running simultaneously in a tight loop each using the
same PAM config file. Use correct username and password.

Steps to Reproduce:
1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc)
2) copy files pam-test-1 & pam-test-2 to /etc/pam.d.
3) create a test user.
4) run ten instances in ten different terminals of: ./pam_authenticate
pam-test-1 test_user password
5) stop one or more of running ./pam_authenticate using CTRL+C

Actual results:
Sometimes on one of terminals with running ./pam_authenticate an error appears:
You have time limit [1s left] since last failure.
pam_authenticate: 7: Authentication failure

Expected results:
There should be no errors or failed authentications.

Additional info:
It's quite rare. But not difficult to reproduce. If stopping an authenticator doesn't cause a failure, run it one more time and stop a program in different terminal. Such action performed several times should reproduce the problem.

pam-test-2 is without lock_time=1 option - with this config pam works fine
Comment 1 Rafal Juszkiewicz 2013-09-20 07:25:58 EDT
Created attachment 800449 [details]
pam config which causes problems
Comment 2 Rafal Juszkiewicz 2013-09-20 07:27:35 EDT
Created attachment 800450 [details]
pam config without "lock_time=1"
Comment 3 Tomas Mraz 2013-12-02 12:03:01 EST
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business

Note You need to log in before you can comment on or make changes to this bug.