Bug 1010249 - pam_tally2/pam problem during simultaneous authentication
Summary: pam_tally2/pam problem during simultaneous authentication
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam
Version: 5.9
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-20 11:24 UTC by Rafal Juszkiewicz
Modified: 2013-12-02 17:03 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-02 17:03:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
authenticator source code (3.75 KB, text/x-csrc)
2013-09-20 11:24 UTC, Rafal Juszkiewicz
no flags Details
pam config which causes problems (268 bytes, text/plain)
2013-09-20 11:25 UTC, Rafal Juszkiewicz
no flags Details
pam config without "lock_time=1" (256 bytes, text/plain)
2013-09-20 11:27 UTC, Rafal Juszkiewicz
no flags Details

Description Rafal Juszkiewicz 2013-09-20 11:24:19 UTC
Created attachment 800445 [details]
authenticator source code

It's very similar to 455217. But "serialize" does not fully solve the issue.

Description of problem:

  When one has defined "lock_time=1" into the PAM config file used for authentication, fast simultaneous authentication from two different processes fail randomly even though "serialize" is present in PAM config and username and password are correct.

Version-Release number of selected component (if applicable):

pam-0.99.6.2-6.el5_5.2

How reproducible:

  Put 10 authenticators running simultaneously in a tight loop each using the
same PAM config file. Use correct username and password.


Steps to Reproduce:
1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc)
2) copy files pam-test-1 & pam-test-2 to /etc/pam.d.
3) create a test user.
4) run ten instances in ten different terminals of: ./pam_authenticate
pam-test-1 test_user password
5) stop one or more of running ./pam_authenticate using CTRL+C

Actual results:
Sometimes on one of terminals with running ./pam_authenticate an error appears:
You have time limit [1s left] since last failure.
pam_authenticate: 7: Authentication failure


Expected results:
There should be no errors or failed authentications.

Additional info:
It's quite rare. But not difficult to reproduce. If stopping an authenticator doesn't cause a failure, run it one more time and stop a program in different terminal. Such action performed several times should reproduce the problem.

pam-test-2 is without lock_time=1 option - with this config pam works fine

Comment 1 Rafal Juszkiewicz 2013-09-20 11:25:58 UTC
Created attachment 800449 [details]
pam config which causes problems

Comment 2 Rafal Juszkiewicz 2013-09-20 11:27:35 UTC
Created attachment 800450 [details]
pam config without "lock_time=1"

Comment 3 Tomas Mraz 2013-12-02 17:03:01 UTC
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification.


Note You need to log in before you can comment on or make changes to this bug.