Bug 455217 - pam_tally2 race when authenticating more than once at the same time.
pam_tally2 race when authenticating more than once at the same time.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.2
All Linux
high Severity medium
: rc
: 5.4
Assigned To: Tomas Mraz
: OtherQA
Depends On:
Blocks: 441907 483784 494834
  Show dependency treegraph
 
Reported: 2008-07-14 01:25 EDT by Jatin Nansi
Modified: 2010-10-22 22:48 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:23:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pam_authenticate.c (3.61 KB, text/plain)
2008-07-14 01:27 EDT, Jatin Nansi
no flags Details
pam-test-1 (258 bytes, text/plain)
2008-07-14 01:27 EDT, Jatin Nansi
no flags Details
pam-test-2 (246 bytes, text/plain)
2008-07-14 01:28 EDT, Jatin Nansi
no flags Details

  None (edit)
Description Jatin Nansi 2008-07-14 01:25:30 EDT
+++ This bug was initially created as a clone of Bug #446025 +++

Description of problem:

  When one has defined "lock_time=1" into the PAM config file used for
authentication, fast simultaneous authentication from two different processes
fail randomly even though username and password are correct.

How reproducible:

  Put two authenticators running simultaneously in a tight loop each using the
same PAM config file. Use correct username and password.

Steps to Reproduce:

1) compile the reproducer pam_authenticate.c (-lpam -lpam_misc)
2) copy files pam-test-1 & pam-test-2 to /etc/pam.d.
3) create a test user.
4) run two instances in two different terminals of: ./pam_authenticate
pam-test-1 test_user password

Actual results:

   This message appears from time to time:
           pam_tally2: user test_user (500) has time limit [1s left] since last
failure.

   This happens when:
     a) One process is run in a tight loop.
     b) Two processes authenticating in a tight look are run with pam_tally
lock_time=1 parameter. This can be testing using the pam-test-2 config file.

Expected results:

   No messages or errors should be shown.

Additional comments:

   Attachments: test case pam_authenticate.c and both pam-test-1,pam-test-2 for
testing.

-- Additional comment from jplans@redhat.com on 2008-05-12 04:00 EST --
Created an attachment (id=305095)
pam_authenticate.c


-- Additional comment from jplans@redhat.com on 2008-05-12 04:02 EST --
Created an attachment (id=305097)
... auth    required pam_tally2.so lock_time=1 unlock_time=3600 deny=5 ...


-- Additional comment from jplans@redhat.com on 2008-05-12 04:04 EST --
Created an attachment (id=305099)
[pam-test-2] ... auth	 required pam_tally2.so unlock_time=3600 deny=5 ...

Above is pam-test-1

-- Additional comment from tmraz@redhat.com on 2008-05-12 09:24 EST --
I'm sorry but this is inherent problem in the way how pam_tally/pam_tally2
works.  We would have to serialize all authentication attempts through PAM so
before one attempt is not finished yet the other attempt will be waiting for a
lock to be released. I do not think it is a bug strictly speaking, because the
result of the attempt of the authentication which is in progress is not yet
determined so if you are using the lock_time=1 option it means the tally lock is
in effect during it. Of course even without the lock_time=1 with sufficiently
low deny value it could eventually happen because if there are more than deny
attempts simultaneously happening the tally lock will be in effect for the
following attempts.

I could add an option to pam_tally which would serialize the authentication
attempts but I'd prefer to not to turn it on by default.


-- Additional comment from rdoty@redhat.com on 2008-07-02 09:28 EST --
We need a NSN committment to test the patch as soon as it is available.

-- Additional comment from tao@redhat.com on 2008-07-07 06:37 EST --
Yes. NSN commit to test this.


This event sent from IssueTracker by sprabhu 
 issue 167119
Comment 1 Jatin Nansi 2008-07-14 01:27:07 EDT
Created attachment 311679 [details]
pam_authenticate.c
Comment 2 Jatin Nansi 2008-07-14 01:27:50 EDT
Created attachment 311680 [details]
pam-test-1
Comment 3 Jatin Nansi 2008-07-14 01:28:37 EDT
Created attachment 311681 [details]
pam-test-2
Comment 6 Jatin Nansi 2009-02-09 20:12:04 EST
Tomas,
Since this is already fixed in RHEL4 (BZ #446025), can we have the fix forward ported for RHEL5 and get a test package?
Comment 7 Tomas Mraz 2009-02-10 10:33:16 EST
Here is the source rpm for testing purposes.

http://people.redhat.com/tmraz/testing/pam-0.99.6.2-4.1.test.el5.src.rpm
Comment 13 Chris Ward 2009-06-14 19:15:33 EDT
~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~

RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should
be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner!

If you encounter any issues, please set the bug back to the ASSIGNED state and
describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks!
Comment 14 Chris Ward 2009-07-03 14:04:34 EDT
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 15 Chris Ward 2009-07-10 15:05:03 EDT
~~ Attention Partners - RHEL 5.4 Snapshot 1 Released! ~~

RHEL 5.4 Snapshot 1 has been released on partners.redhat.com. If you have already reported your test results, you can safely ignore this request. Otherwise, please notice that there should be a fix available now that addresses this particular request. Please test and report back your results here, at your earliest convenience. The RHEL 5.4 exception freeze is quickly approaching.

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. 

Further questions can be directed to your Red Hat Partner Manager or other appropriate customer representative.
Comment 18 errata-xmlrpc 2009-09-02 07:23:52 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1358.html

Note You need to log in before you can comment on or make changes to this bug.