PAM gets stuck waiting for audit_log_acct_message()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
During PAM processing of any request (auth, acct, or session), the function audit_log_
This issue happened to me while testing a vpn solution using pppd, and at the same time dns server was down. The vpn client was timing out during user/pass verification phase, and by looking at pppd debug logs it was because of a very slow PAM processing. At same time, I could see server was sending strange dns queries about "ppp0". (pppd includes the dynamic interface name as the PAM_RHOST when calling PAM).
Summary of events:
1-pppd passes user/pass to PAM for auth
2-PAM pocess auth
3-PAM audit the event <- time wasted waiting for dns (>5 seconds)
(...)->the process is repeated for PAM acct and session checks.
By the way if DNS server responds with NXDOMAIN, the resolver aborts immediately and the stuck issue is not seen. This I think is what happens on most cases.
I wonder if PAM can be improved by making a non-blocking call to audit_log_
Packages:
libpam0g:i386 - 1.1.8-1ubuntu2.2
libaudit1:i386 - 1:2.3.2-2ubuntu1
# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Backtrace attached using pppd example.