PAM gets stuck waiting for audit_log_acct_message()

Bug #1571903 reported by Joao Machado on 2016-04-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)

Bug Description

During PAM processing of any request (auth, acct, or session), the function audit_log_acct_message () (from /lib/i386-linux-gnu/ ) is called to audit the event. One of the variables that can be used during audit logging is the hostname of the requester (PAM_RHOST). The audit_log_acct_message () function try to resolve this hostname if the address is still not known, but when the DNS server is not reachable or the query return is SERVFAIL, system tries a couple of times before aborting the process of name resolution, which leads to time wasted by PAM waiting for the return of audit_log_acct_message (). In some cases, this time wasting causes the requester application to timeout, for example a VPN user.

This issue happened to me while testing a vpn solution using pppd, and at the same time dns server was down. The vpn client was timing out during user/pass verification phase, and by looking at pppd debug logs it was because of a very slow PAM processing. At same time, I could see server was sending strange dns queries about "ppp0". (pppd includes the dynamic interface name as the PAM_RHOST when calling PAM).

Summary of events:
1-pppd passes user/pass to PAM for auth
2-PAM pocess auth
3-PAM audit the event <- time wasted waiting for dns (>5 seconds)
(...)->the process is repeated for PAM acct and session checks.

By the way if DNS server responds with NXDOMAIN, the resolver aborts immediately and the stuck issue is not seen. This I think is what happens on most cases.

I wonder if PAM can be improved by making a non-blocking call to audit_log_acct_message ().

libpam0g:i386 - 1.1.8-1ubuntu2.2
libaudit1:i386 - 1:2.3.2-2ubuntu1

# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04

Backtrace attached using pppd example.

Joao Machado (jocrismachado) wrote :
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers