[squid-users] Re: Pam_auth eats my cpu!

From: Henrik Nordstrom <[email protected]>
Date: Tue, 12 Feb 2002 12:12:36 +0100

I have tried everything I can think of, but I cannot reproduce your
problem.

I have tested the pam_auth module on RedHat-7.2 using Squid-2.5 and
the following PAM configurations:

#%PAM-1.0
auth required /lib/security/pam_unix.so shadow nullok
account required /lib/security/pam_unix.so

And

#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth

where system-auth looks like
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
[... password and session cut away for readability]

On your request I have also tested with a bare pam_auth.so
configuration

#%PAM-1.0
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

and in all cases it seems to work flawlessly.

Relevant system packages on the test machine (RedHat-7.2 based):
        pam-0.75-19
        glibc-2.2.4-20
        gcc-2.96-98

/etc/pwdb.conf:

#
# This is the configuration file for the pwdb library
#

user:
        unix+shadow
        nis+unix+shadow

group:
        unix+shadow
        nis+unix+shadow

/etc/nsswitch.conf

passwd: files nisplus
shadow: files nisplus
group: files nisplus

NIS not running.

All passwords in /etc/shadow

Maybe some hint can be provided by strace

   strace -p <pid_of_a_pam_auth_helper>

As you say it seems to be related to the account stage you can
disable this in pam_auth-2.0 by using the commandline option -o

To get a full list of commandline options in pam_auth-2.0 run
"pam_auth -h". Not all are documented in the man page yet.

Regards
Henrik Nordstr�m

On Monday 11 February 2002 07.19, Ian McDonald wrote:
> Henrik,
>
> I am having great difficulty getting pam_auth to do anything other
> than use two processes to consume about 48% of the cpu each. Squid
> seems to use the rest of the cpu.
>
> I am currently using RedHat 7.2 but saw the same problem under 7.1.
>
> /etc/pam.d/squid contains:
> auth required /lib/security/pam_unix.so
> account required /lib/security/pam_unix.so
>
> I have installed pam_auth-2.0 but had the same problem with the
> pam_auth that came with RH 7.1 and 7.2.
>
> I have searched the web for similar problems at other sites and
> only found one. He solved his problem by installing squid_auth
> from conectiva. I would rather fix the problem I have because I am
> trying to mimic an older working RedHat system before I upgrade it.
>
> I can run pam_auth interactively as either root or a non-privileged
> user and it produces the correct results (pam_auth is suid root).
>
> If I have just the auth line in the conf file above I don't have
> the problem with the cpu being used up, but then, I don't get
> authorised either :-(
> It appears that the problem is associated with the account line in
> the conf file but I don't have enough Linux experience to take this
> any further.
>
> I am at my wits end. Do you have any suggestions?
>
> Thank you in anticipation,
>
> Ian McDonald

-- 
MARA Systems AB, Giving you basic free Squid support
Customized solutions, packaged solutions and priority support
available on request
Received on Tue Feb 12 2002 - 04:21:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:13 MST