[clue-tech] long auth timeout from pam_unix.so?

Thu Nov 23 10:23:43 MST 2006

Hi,

We have a terminal server type system which answers the phone on
some modems and runs some applications depending on what the dialup
client wants to do.

One of the things that could happen is the server could present a
login: prompt, to which the client could respond with a username.
If so then the application presents the username to /bin/login
which prints a password prompt.  Thus control of the session is
passed to /bin/login.

We occasionally have a problem where the password is either in-
correct or was not presented, but /bin/login takes a really long
time to return an error to the parent process.  Consider the
following logfile entries:

Nov 14 20:22:31 mb-ws1 pc400syslog: PC400 - [MODEM] Modem 20 AdmMsg - connect V32 4800 direct/none
Nov 14 20:22:31 mb-ws1 mb: 2006-11-14 20:22:31.835413 mb (MBModemThread.cpp:436) - Debug:  Detected new call uuid 40f94040-f687
Nov 14 20:22:44 mb-ws1 mb: 2006-11-14 20:22:44.835558 mb (MBModemThread.cpp:484) - Debug:  ZMODEM startup inactivity; switch to login
Nov 14 20:22:46 mb-ws1 mb: 2006-11-14 20:22:46.656122 mb (MBModemThread.cpp:1255) - Debug:  PPP Login matched PPP user 'userid'
  *** NOTE ALMOST 6 HOUR DELAY UNTIL THE FAILURE MESSAGE ***
Nov 15 02:14:08 mb-ws1 su(pam_unix)[1878]: authentication failure; logname= uid=100 euid=0 tty= ruser=mb rhost=    user=userid
Nov 15 02:14:08 mb-ws1 pc400syslog: PC400 - [MODEM] Modem 20 AdmMsg - deallocated on slot 1 link 20
Nov 15 02:14:08 mb-ws1 pc400syslog: PC400 - [MODEM] Modem 20 Event 0x7444 - modem ready
Nov 15 02:14:08 mb-ws1 mb: 2006-11-15 02:14:08.964342 mb (MBModemThread.cpp:1355) - Debug:  Carrier signal lost modem 'M20'
Nov 15 02:14:09 mb-ws1 mb: 2006-11-15 02:14:09.474340 mb (MBCallRecord.cpp:427) - Debug:  Call complete uuid 40f94040-f687
Nov 15 02:14:09 mb-ws1 mb: 2006-11-15 02:14:09.474493 mb (MBCallRecordNotify.cpp:53) - Info:  Exceeded call duration threshold '

Does anyone on the list have any ideas what we can do to shorten
up the maximum timeout on pam_unix so it gives an authentication failure
much sooner than 6 hours after it started?

We are interested in this because it's a satellite phone which charges over
$1 per minute, so this phone call cost almost $400.  This happens from time
to time.

Right now our workaround is to make the parent supervisor process watch
the /bin/login child and reset the modem if it does not return in a timely
manner.  However it would be nice to know how to get PAM to play nice with
our expensive satellite phones.

A google and USENET search did not enlighten me.  A last resort would be
to read the man page. ;)

Thanks,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/