Re: [Openvpn-devel] async plugin-auth-pam
Hi, On Fri, Jun 12, 2020 at 02:22:01PM -0400, Selva Nair wrote: > I do not have a patch, but had briefly considered this while looking into > handling "dynamic challenge" through the plugin. > > Just deferring an authentication is easy but the server will still stall if > another client comes in during that deferred period as pam auth is handled > by a single process. The plugin forks leaving a child running as root, and > talks to it via a scoket. The latter does the pam authentication. As pam > runs within that process, it will still be waiting for the authentication > to complete in a blocking call to pam_authenticate(). I felt it will take > considerable effort to make it handle pam auth asynchronously. My idea was: - send the auth request to the "pam child", including the control file name - pam child returns "I'll do this asynchronously" - pam child forks - grandchild does the (blocking) PAM stuff, and writes to auth control file when done that way, there should not be any blocking. (Some care needs to be done inside the grandchild so that there is no shared PAM state or whatever - so anything that happens at "init" now might have to be moved to "after grandchild fork()") > Things may be easier if modules that take long to verify the credentials, > return something like PAM_INCOMPLETE, so that it can be called back later. > But that is beyond our control, and I'm not familiar with async support > within PAM or in PAM modules. I don't really want to trust "3rd parties" here... well, I could try to figure out FreeBSD's pam_radius and make that one asynchronous, but PAM is full of interesting surprises - so "do it in our plugin" sounds easier. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] async plugin-auth-pam
On Tue, Jun 9, 2020 at 1:55 PM Gert Doering wrote:
> Hi,
>
> I ran into a problem at a customer installation recently, where
> plugin-auth-pam was blocking for some extended time (~30 seconds?)
> due to pam_radius not receiving answers due to problems in the backend.
>
> Now, maybe I should use radiusplugin in the first place, but since
> the pam_radius setup on this machine is shared between sshd and OpenVPN,
> I actually *like* using plugin-auth-pam -> pam_radius ("test one service,
> know that radius very likely works for both").
>
> That said, I'm considering modifying the plugin-auth-pam plugin to
> add async authentication - which is supposedly not so hard
> ("sample-plugins/defer/simple.c").
>
> Has one of you already done this, and just forgot to send in patches? :-)
>
> Any particular caveats?
>
I do not have a patch, but had briefly considered this while looking into
handling "dynamic challenge" through the plugin.
Just deferring an authentication is easy but the server will still stall if
another client comes in during that deferred period as pam auth is handled
by a single process. The plugin forks leaving a child running as root, and
talks to it via a scoket. The latter does the pam authentication. As pam
runs within that process, it will still be waiting for the authentication
to complete in a blocking call to pam_authenticate(). I felt it will take
considerable effort to make it handle pam auth asynchronously.
Things may be easier if modules that take long to verify the credentials,
return something like PAM_INCOMPLETE, so that it can be called back later.
But that is beyond our control, and I'm not familiar with async support
within PAM or in PAM modules.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] async plugin-auth-pam
Hi,
I ran into a problem at a customer installation recently, where
plugin-auth-pam was blocking for some extended time (~30 seconds?)
due to pam_radius not receiving answers due to problems in the backend.
Now, maybe I should use radiusplugin in the first place, but since
the pam_radius setup on this machine is shared between sshd and OpenVPN,
I actually *like* using plugin-auth-pam -> pam_radius ("test one service,
know that radius very likely works for both").
That said, I'm considering modifying the plugin-auth-pam plugin to
add async authentication - which is supposedly not so hard
("sample-plugins/defer/simple.c").
Has one of you already done this, and just forgot to send in patches? :-)
Any particular caveats?
thanks,
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
