[Bug 1571903] [NEW] PAM gets stuck waiting for audit_log_acct_message()

Joao Machado jocrismachado at gmail.com
Tue Apr 19 00:20:26 UTC 2016 

Public bug reported:

During PAM processing of any request (auth, acct, or session), the
function audit_log_acct_message () (from /lib/i386-linux-
gnu/libaudit.so.1 ) is called to audit the event. One of the variables
that can be used during audit logging is the hostname of the requester
(PAM_RHOST). The audit_log_acct_message () function try to resolve this
hostname if the address is still not known, but when the DNS server is
not reachable or the query return is SERVFAIL, system tries a couple of
times before aborting the process of name resolution, which leads to
time wasted by PAM waiting for the return of  audit_log_acct_message ().
In some cases, this time wasting causes the requester application to
timeout, for example a VPN user.

This issue happened to me while testing a vpn solution using pppd, and
at the same time dns server was down. The vpn client was timing out
during user/pass verification phase, and by looking at pppd debug logs
it was because of a very slow PAM processing. At same time, I could see
server was sending strange dns queries about "ppp0". (pppd includes the
dynamic interface name as the PAM_RHOST when calling PAM).

Summary of events:
1-pppd passes user/pass to PAM for auth
2-PAM pocess auth
3-PAM audit the event  <- time wasted waiting for dns (>5 seconds)
(...)->the process is repeated for PAM acct and session checks.

By the way if DNS server responds with NXDOMAIN, the resolver aborts
immediately and the stuck issue is not seen. This I think is what
happens on most cases.

I wonder if PAM can be improved by making a non-blocking call to
audit_log_acct_message ().

Packages:
libpam0g:i386  - 1.1.8-1ubuntu2.2
libaudit1:i386   - 1:2.3.2-2ubuntu1

# lsb_release -rd
Description:    Ubuntu 14.04.4 LTS
Release:        14.04

Backtrace attached using pppd example.

** Affects: pam (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: blocking dns gethostbyname pam pppd query stuck

** Attachment added: "backtrace_pppd_gethostbyname.txt"
   https://bugs.launchpad.net/bugs/1571903/+attachment/4639556/+files/backtrace_pppd_gethostbyname.txt

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1571903

Title:
  PAM gets stuck waiting for audit_log_acct_message()

Status in pam package in Ubuntu:
  New

Bug description:
  During PAM processing of any request (auth, acct, or session), the
  function audit_log_acct_message () (from /lib/i386-linux-
  gnu/libaudit.so.1 ) is called to audit the event. One of the variables
  that can be used during audit logging is the hostname of the requester
  (PAM_RHOST). The audit_log_acct_message () function try to resolve
  this hostname if the address is still not known, but when the DNS
  server is not reachable or the query return is SERVFAIL, system tries
  a couple of times before aborting the process of name resolution,
  which leads to time wasted by PAM waiting for the return of
  audit_log_acct_message (). In some cases, this time wasting causes the
  requester application to timeout, for example a VPN user.

  This issue happened to me while testing a vpn solution using pppd, and
  at the same time dns server was down. The vpn client was timing out
  during user/pass verification phase, and by looking at pppd debug logs
  it was because of a very slow PAM processing. At same time, I could
  see server was sending strange dns queries about "ppp0". (pppd
  includes the dynamic interface name as the PAM_RHOST when calling
  PAM).

  Summary of events:
  1-pppd passes user/pass to PAM for auth
  2-PAM pocess auth
  3-PAM audit the event  <- time wasted waiting for dns (>5 seconds)
  (...)->the process is repeated for PAM acct and session checks.

  By the way if DNS server responds with NXDOMAIN, the resolver aborts
  immediately and the stuck issue is not seen. This I think is what
  happens on most cases.

  I wonder if PAM can be improved by making a non-blocking call to
  audit_log_acct_message ().

  Packages:
  libpam0g:i386  - 1.1.8-1ubuntu2.2
  libaudit1:i386   - 1:2.3.2-2ubuntu1

  # lsb_release -rd
  Description:    Ubuntu 14.04.4 LTS
  Release:        14.04

  Backtrace attached using pppd example.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1571903/+subscriptions

More information about the foundations-bugs mailing list