Hi, On Fri, Jun 12, 2020 at 02:22:01PM -0400, Selva Nair wrote: > I do not have a patch, but had briefly considered this while looking into > handling "dynamic challenge" through the plugin. > > Just deferring an authentication is easy but the server will still stall if > another client comes in during that deferred period as pam auth is handled > by a single process. The plugin forks leaving a child running as root, and > talks to it via a scoket. The latter does the pam authentication. As pam > runs within that process, it will still be waiting for the authentication > to complete in a blocking call to pam_authenticate(). I felt it will take > considerable effort to make it handle pam auth asynchronously.
My idea was:
- send the auth request to the "pam child", including the control file name
- pam child returns "I'll do this asynchronously"
- pam child forks
- grandchild does the (blocking) PAM stuff, and writes to auth control
file when done
that way, there should not be any blocking.
(Some care needs to be done inside the grandchild so that there is no
shared PAM state or whatever - so anything that happens at "init" now
might have to be moved to "after grandchild fork()")
> Things may be easier if modules that take long to verify the credentials,
> return something like PAM_INCOMPLETE, so that it can be called back later.
> But that is beyond our control, and I'm not familiar with async support
> within PAM or in PAM modules.
I don't really want to trust "3rd parties" here... well, I could try
to figure out FreeBSD's pam_radius and make that one asynchronous, but
PAM is full of interesting surprises - so "do it in our plugin" sounds
easier.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
