Open
Description
On a real box with a pretty boring PAM setup, successful authentication takes a few seconds. I traced this to our (mis)use of PAM_RHOST flag. We're setting that to a value such as [::1]:49748(for=_3h1Qo6TH), and the auditd(8) is apparently trying to resolve that using the DNS:
Thread 5 (Thread 0xb46b3100 (LWP 8738) "rousette"):
#0 0xb65a5624 in __ppoll64 () from /lib/libc.so.6
#1 0xb65a5750 in ppoll () from /lib/libc.so.6
#2 0xb3e85800 in ?? () from /lib/libnss_resolve.so.2
#3 0xb3e8592c in ?? () from /lib/libnss_resolve.so.2
#4 0xb3e8fdbc in ?? () from /lib/libnss_resolve.so.2
#5 0xb3e92044 in ?? () from /lib/libnss_resolve.so.2
#6 0xb3e784f0 in _nss_resolve_gethostbyname4_r () from /lib/libnss_resolve.so.2
#7 0xb65db2d4 in getaddrinfo () from /lib/libc.so.6
#8 0xb62bfbf4 in ?? () from /lib/libaudit.so.1
#9 0xb62c0644 in audit_log_acct_message () from /lib/libaudit.so.1
#10 0xb69cb104 in ?? () from /lib/libpam.so.0
#11 0xb69cb320 in ?? () from /lib/libpam.so.0
#12 0xb69c5bd4 in ?? () from /lib/libpam.so.0
#13 0xb69c55a8 in pam_authenticate () from /lib/libpam.so.0
#14 0x00582094 in rousette::auth::(anonymous namespace)::authenticate_pam (remoteHost=..., userPass=...) at /home/jkt/work/prog/_build/_br-cfb/build/rousette-custom/src/auth/PAM.cpp:175
Since we're designed to run behind a reverse proxy, we do not have a direct access to the actual remote endpoint's address, so we're "faking" that via a unique request ID as provided by nghttpx.
We could:
- stop logging the
PAM_RHOSTthing, - somehow pass along the real IP address, if possible,
- try to reconfigure the audit system to stop resolving stuff.
Metadata
Metadata
Assignees
Labels
No labels