Ryan Underwood <[EMAIL PROTECTED]> writes: > On Sun, Jul 10, 2005 at 08:49:20PM -0700, Russ Allbery wrote:
>> If I force a failure in _init_context (by adding comments with >> whitespace in front of them, from another bug I'm looking at), PAM >> falls immediately through to the next module for me. I'm not sure how >> it could get more confused than what that does. >> What's your PAM configuration? > Default /etc/pam.d/login with debian, default common-password and > common-account. > common-auth: > auth optional pam_krb5.so > auth sufficient pam_unix.so try_first_pass nullok_secure > auth required pam_deny.so > common-session: > session optional pam_krb5.so > session optional pam_openafs_session.so > session required pam_unix.so > I'll try to reproduce it again, but it seemed fairly reliable to trigger > when I submitted the bug. I managed to reproduce this on a system that was physically disconnected from the network. For some reason, that apparently creates a different sort of timeout than the KDCs just not being reachable. My guess at the moment is that DNS resolution isn't subjected to the same timeouts as the rest of the Kerberos protocol exchange. I'm going to try to find some time to work on this, but if anyone else has the time to track down the problem, that would be greatly appreciated. This may end up a Kerberos bug rather than a bug in the PAM module; I'm not sure yet. It looks like login enforces a timeout so that a PAM module simply has to complete within a particular period of time, no matter what. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
