Description of problem: The current version of pam_radius shipped in EPEL8 isn't thread-safe, and this is affecting the user authentication times. The user authentication requests need to be serialized, thus causing high etimes when may users try to authenticate at the same time. Version-Release number of selected component (if applicable): pam_radius-1.4.0-15.el8 How reproducible: Authenticate many users at the same time. Actual results: Users can wait several minutes to get the authentication processed. Expected results: Users should wait at most several seconds. Additional info: Upstream already fixed the problem for pam_radius-2.0.0, thus the solution involves rebasing the package.
FEDORA-EPEL-2022-b0c25deca8 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-b0c25deca8
FEDORA-EPEL-2022-b0c25deca8 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-b0c25deca8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-b0c25deca8 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
Description of problem: The current version of pam_radius shipped in EPEL8 and EPEL9 isn't working in MFA (2FA) mode, if we bypass 2FA/linux auth then only radius auth work, but if we include both then it not works and password prompt repeating again and again and sending requests to radius server, as the first attempt of radius password is successful but 2nd password prompt for OS password not successful and they send it again to radius server, for example see below ssh infra.nabil.x.x password (enter radius password) --> successful auth as per radius logs. password (enter OS password) --> failed due to the request send again to radius server instead of local auth Here is the debug logs of pam.d/sshd Oct 31 02:37:28 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: Got user name infra.nabil Oct 31 02:37:28 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: ignore last_pass, force_prompt set Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: Sending RADIUS request code 1 Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0. Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: Got RADIUS response code 2 Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: authentication succeeded Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.50.3.117 user=infra.nabil Oct 31 02:37:56 Oracle-Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117 Oct 31 02:37:56 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: Got user name infra.nabil Oct 31 02:37:56 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: ignore last_pass, force_prompt set Oct 31 02:38:24 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: Sending RADIUS request code 1 Oct 31 02:38:24 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0. Oct 31 02:38:25 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: Got RADIUS response code 3 Oct 31 02:38:25 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: authentication failed Oct 31 02:38:27 Oracle-Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117 Version-Release number of selected component (if applicable): pam_radius-2.0.0-3.el9.x86_64 How reproducible: install latest version of pam_radius and setup 2FA for ssh user and setup pam.d/sshd as below #%PAM-1.0 auth required pam_radius_auth.so debug auth substack password-auth debug auth include postlogin debug account required pam_sepermit.so debug account required pam_nologin.so debug account include password-auth debug password include password-auth debug setup local user in OS with password and enable password auth enabled and challenge response enabled in ssh conf, and restart sshd service. Expected results: Users should be login. Additional info: same thing working fine on pam_radius-1.4.0-15 on both EPEL8 and EPEL9, but after upgrade to version 2, it wont work as expected.