Bug 446025 - pam_tally2 race when authenticating more than once at the same time.
pam_tally2 race when authenticating more than once at the same time.
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
high Severity medium
: rc
: 4.8
Assigned To: Tomas Mraz
: FutureFeature, OtherQA
Depends On:
Blocks: 391511 447953 458123 494835
  Show dependency treegraph
Reported: 2008-05-12 04:00 EDT by Jose Plans
Modified: 2012-07-20 09:50 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-18 16:24:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pam_authenticate.c (3.61 KB, text/x-csrc)
2008-05-12 04:00 EDT, Jose Plans
no flags Details
... auth required pam_tally2.so lock_time=1 unlock_time=3600 deny=5 ... (258 bytes, application/octet-stream)
2008-05-12 04:02 EDT, Jose Plans
no flags Details
[pam-test-2] ... auth required pam_tally2.so unlock_time=3600 deny=5 ... (246 bytes, application/octet-stream)
2008-05-12 04:04 EDT, Jose Plans
no flags Details

  None (edit)
Description Jose Plans 2008-05-12 04:00:58 EDT
Description of problem:

  When one has defined "lock_time=1" into the PAM config file used for
authentication, fast simultaneous authentication from two different processes
fail randomly even though username and password are correct.

How reproducible:

  Put two authenticators running simultaneously in a tight loop each using the
same PAM config file. Use correct username and password.

Steps to Reproduce:

1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc)
2) copy files pam-test-1 & pam-test-2 to /etc/pam.d.
3) create a test user.
4) run two instances in two different terminals of: ./pam_authenticate
pam-test-1 test_user password

Actual results:

   This message appears from time to time:
           pam_tally2: user test_user (500) has time limit [1s left] since last

   This happens when:
     a) One process is run in a tight loop.
     b) Two processes authenticating in a tight look are run with pam_tally
lock_time=1 parameter. This can be testing using the pam-test-2 config file.

Expected results:

   No messages or errors should be shown.

Additional comments:

   Attachments: test case pam_authenticate.c and both pam-test-1,pam-test-2 for
Comment 1 Jose Plans 2008-05-12 04:00:58 EDT
Created attachment 305095 [details]
Comment 2 Jose Plans 2008-05-12 04:02:08 EDT
Created attachment 305097 [details]
... auth    required pam_tally2.so lock_time=1 unlock_time=3600 deny=5 ...
Comment 3 Jose Plans 2008-05-12 04:04:28 EDT
Created attachment 305099 [details]
[pam-test-2] ... auth    required pam_tally2.so unlock_time=3600 deny=5 ...

Above is pam-test-1
Comment 4 Tomas Mraz 2008-05-12 09:24:50 EDT
I'm sorry but this is inherent problem in the way how pam_tally/pam_tally2
works.  We would have to serialize all authentication attempts through PAM so
before one attempt is not finished yet the other attempt will be waiting for a
lock to be released. I do not think it is a bug strictly speaking, because the
result of the attempt of the authentication which is in progress is not yet
determined so if you are using the lock_time=1 option it means the tally lock is
in effect during it. Of course even without the lock_time=1 with sufficiently
low deny value it could eventually happen because if there are more than deny
attempts simultaneously happening the tally lock will be in effect for the
following attempts.

I could add an option to pam_tally which would serialize the authentication
attempts but I'd prefer to not to turn it on by default.
Comment 5 Russell Doty 2008-07-02 09:28:15 EDT
We need a NSN committment to test the patch as soon as it is available.
Comment 6 Issue Tracker 2008-07-07 06:37:19 EDT
Yes. NSN commit to test this.

This event sent from IssueTracker by sprabhu 
 issue 167119
Comment 18 errata-xmlrpc 2009-05-18 16:24:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.