Hi, On Sat, Jun 20, 2020 at 06:22:06PM +0200, Gert Doering wrote: > If OpenVPN signals deferred authentication support (by setting the > internal environment variable "auth_control_file"), do not wait > for PAM stack to finish. Instead, the privileged PAM process > returns RESPONSE_DEFER via the control socket, which gets turned > into OPENVPN_PLUGIN_FUNC_DEFERRED towards openvpn. [..] > Lightly tested on Linux.
This is sort of a "v1" of this patch, knowing well that it needs some
more polishing regarding logging etc. - but it would be good to have
some feedback if I'm overlooking something crucial here.
"It seems to work, though" - as in "I've built a pam stack with
pam_auth_radius talking to a non-existing radius server, which will
always add 15 seconds of delay - and with this patch, two clients can
authenticate concurrently, TLS handshakes do work while a client is
authenticating, and pings for client A do not stop while client B is
connecting". And, no zombie processes.
I have not tested this in anger, like "100 clients connecting at the
same time" or "let it run for two weeks with 1000 clients connecting
and disconnecting all the time".
It goes on top of the patch that adds plugin_log() logging to auth-pam.c
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
