On Tue, Jun 9, 2020 at 1:55 PM Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> I ran into a problem at a customer installation recently, where
> plugin-auth-pam was blocking for some extended time (~30 seconds?)
> due to pam_radius not receiving answers due to problems in the backend.
>
> Now, maybe I should use radiusplugin in the first place, but since
> the pam_radius setup on this machine is shared between sshd and OpenVPN,
> I actually *like* using plugin-auth-pam -> pam_radius ("test one service,
> know that radius very likely works for both").
>
> That said, I'm considering modifying the plugin-auth-pam plugin to
> add async authentication - which is supposedly not so hard
> ("sample-plugins/defer/simple.c").
>
> Has one of you already done this, and just forgot to send in patches? :-)
>
> Any particular caveats?
>
I do not have a patch, but had briefly considered this while looking into
handling "dynamic challenge" through the plugin.
Just deferring an authentication is easy but the server will still stall if
another client comes in during that deferred period as pam auth is handled
by a single process. The plugin forks leaving a child running as root, and
talks to it via a scoket. The latter does the pam authentication. As pam
runs within that process, it will still be waiting for the authentication
to complete in a blocking call to pam_authenticate(). I felt it will take
considerable effort to make it handle pam auth asynchronously.
Things may be easier if modules that take long to verify the credentials,
return something like PAM_INCOMPLETE, so that it can be called back later.
But that is beyond our control, and I'm not familiar with async support
within PAM or in PAM modules.
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
