Bug 446025 - pam_tally2 race when authenticating more than once at the same time.
Summary: pam_tally2 race when authenticating more than once at the same time.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.8
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 4.8
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 391511 447953 458123 494835
TreeView+ depends on / blocked
 
Reported: 2008-05-12 08:00 UTC by Jose Plans
Modified: 2018-10-20 01:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-18 20:24:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
pam_authenticate.c (3.61 KB, text/x-csrc)
2008-05-12 08:00 UTC, Jose Plans
no flags Details
... auth required pam_tally2.so lock_time=1 unlock_time=3600 deny=5 ... (258 bytes, application/octet-stream)
2008-05-12 08:02 UTC, Jose Plans
no flags Details
[pam-test-2] ... auth required pam_tally2.so unlock_time=3600 deny=5 ... (246 bytes, application/octet-stream)
2008-05-12 08:04 UTC, Jose Plans
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0995 0 normal SHIPPED_LIVE pam bug fix and enhancement update 2009-05-18 13:57:29 UTC

Description Jose Plans 2008-05-12 08:00:58 UTC
Description of problem:

  When one has defined "lock_time=1" into the PAM config file used for
authentication, fast simultaneous authentication from two different processes
fail randomly even though username and password are correct.

How reproducible:

  Put two authenticators running simultaneously in a tight loop each using the
same PAM config file. Use correct username and password.

Steps to Reproduce:

1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc)
2) copy files pam-test-1 & pam-test-2 to /etc/pam.d.
3) create a test user.
4) run two instances in two different terminals of: ./pam_authenticate
pam-test-1 test_user password

Actual results:

   This message appears from time to time:
           pam_tally2: user test_user (500) has time limit [1s left] since last
failure.

   This happens when:
     a) One process is run in a tight loop.
     b) Two processes authenticating in a tight look are run with pam_tally
lock_time=1 parameter. This can be testing using the pam-test-2 config file.

Expected results:

   No messages or errors should be shown.

Additional comments:

   Attachments: test case pam_authenticate.c and both pam-test-1,pam-test-2 for
testing.

Comment 1 Jose Plans 2008-05-12 08:00:58 UTC
Created attachment 305095 [details]
pam_authenticate.c

Comment 2 Jose Plans 2008-05-12 08:02:08 UTC
Created attachment 305097 [details]
... auth    required pam_tally2.so lock_time=1 unlock_time=3600 deny=5 ...

Comment 3 Jose Plans 2008-05-12 08:04:28 UTC
Created attachment 305099 [details]
[pam-test-2] ... auth    required pam_tally2.so unlock_time=3600 deny=5 ...

Above is pam-test-1

Comment 4 Tomas Mraz 2008-05-12 13:24:50 UTC
I'm sorry but this is inherent problem in the way how pam_tally/pam_tally2
works.  We would have to serialize all authentication attempts through PAM so
before one attempt is not finished yet the other attempt will be waiting for a
lock to be released. I do not think it is a bug strictly speaking, because the
result of the attempt of the authentication which is in progress is not yet
determined so if you are using the lock_time=1 option it means the tally lock is
in effect during it. Of course even without the lock_time=1 with sufficiently
low deny value it could eventually happen because if there are more than deny
attempts simultaneously happening the tally lock will be in effect for the
following attempts.

I could add an option to pam_tally which would serialize the authentication
attempts but I'd prefer to not to turn it on by default.


Comment 5 Russell Doty 2008-07-02 13:28:15 UTC
We need a NSN committment to test the patch as soon as it is available.

Comment 6 Issue Tracker 2008-07-07 10:37:19 UTC
Yes. NSN commit to test this.


This event sent from IssueTracker by sprabhu 
 issue 167119

Comment 18 errata-xmlrpc 2009-05-18 20:24:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0995.html


Note You need to log in before you can comment on or make changes to this bug.