[Bug 1571903] [NEW] PAM gets stuck waiting for audit_log_acct_message()
Joao Machado
jocrismachado at gmail.com
Tue Apr 19 00:20:26 UTC 2016
Public bug reported:
During PAM processing of any request (auth, acct, or session), the
function audit_log_acct_message () (from /lib/i386-linux-
gnu/libaudit.so.1 ) is called to audit the event. One of the variables
that can be used during audit logging is the hostname of the requester
(PAM_RHOST). The audit_log_acct_message () function try to resolve this
hostname if the address is still not known, but when the DNS server is
not reachable or the query return is SERVFAIL, system tries a couple of
times before aborting the process of name resolution, which leads to
time wasted by PAM waiting for the return of audit_log_acct_message ().
In some cases, this time wasting causes the requester application to
timeout, for example a VPN user.
This issue happened to me while testing a vpn solution using pppd, and
at the same time dns server was down. The vpn client was timing out
during user/pass verification phase, and by looking at pppd debug logs
it was because of a very slow PAM processing. At same time, I could see
server was sending strange dns queries about "ppp0". (pppd includes the
dynamic interface name as the PAM_RHOST when calling PAM).
Summary of events:
1-pppd passes user/pass to PAM for auth
2-PAM pocess auth
3-PAM audit the event <- time wasted waiting for dns (>5 seconds)
(...)->the process is repeated for PAM acct and session checks.
By the way if DNS server responds with NXDOMAIN, the resolver aborts
immediately and the stuck issue is not seen. This I think is what
happens on most cases.
I wonder if PAM can be improved by making a non-blocking call to
audit_log_acct_message ().
Packages:
libpam0g:i386 - 1.1.8-1ubuntu2.2
libaudit1:i386 - 1:2.3.2-2ubuntu1
# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Backtrace attached using pppd example.
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
** Tags: blocking dns gethostbyname pam pppd query stuck
** Attachment added: "backtrace_pppd_gethostbyname.txt"
https://bugs.launchpad.net/bugs/1571903/+attachment/4639556/+files/backtrace_pppd_gethostbyname.txt
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1571903
Title:
PAM gets stuck waiting for audit_log_acct_message()
Status in pam package in Ubuntu:
New
Bug description:
During PAM processing of any request (auth, acct, or session), the
function audit_log_acct_message () (from /lib/i386-linux-
gnu/libaudit.so.1 ) is called to audit the event. One of the variables
that can be used during audit logging is the hostname of the requester
(PAM_RHOST). The audit_log_acct_message () function try to resolve
this hostname if the address is still not known, but when the DNS
server is not reachable or the query return is SERVFAIL, system tries
a couple of times before aborting the process of name resolution,
which leads to time wasted by PAM waiting for the return of
audit_log_acct_message (). In some cases, this time wasting causes the
requester application to timeout, for example a VPN user.
This issue happened to me while testing a vpn solution using pppd, and
at the same time dns server was down. The vpn client was timing out
during user/pass verification phase, and by looking at pppd debug logs
it was because of a very slow PAM processing. At same time, I could
see server was sending strange dns queries about "ppp0". (pppd
includes the dynamic interface name as the PAM_RHOST when calling
PAM).
Summary of events:
1-pppd passes user/pass to PAM for auth
2-PAM pocess auth
3-PAM audit the event <- time wasted waiting for dns (>5 seconds)
(...)->the process is repeated for PAM acct and session checks.
By the way if DNS server responds with NXDOMAIN, the resolver aborts
immediately and the stuck issue is not seen. This I think is what
happens on most cases.
I wonder if PAM can be improved by making a non-blocking call to
audit_log_acct_message ().
Packages:
libpam0g:i386 - 1.1.8-1ubuntu2.2
libaudit1:i386 - 1:2.3.2-2ubuntu1
# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Backtrace attached using pppd example.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1571903/+subscriptions
More information about the foundations-bugs
mailing list