On 15 Aug 2016, at 11:15, Jens Rantil <jens.rantil@tink.se> wrote:
Hi,
I've been running 2.1.10+dfsg-3ubuntu0.12.04.2 for ~165 days now on a low-volume machine (~20-30 authentication requests per day). FreeRadius delegates authentication requests to the PAM (which uses Yubico's PAM module).
Yesterday, FreeRadius suddenly stopped working. Looking into the issue I noticed that FreeRadius failed to reload configuration with
Error: Unable to open file "/etc/freeradius/proxy.conf": Too many open files
Inspecting open files for the process showed me there were ~1012 open /dev/urandom:
root@tink-auth-vpn-production:/var/log# lsof|grep freerad|grep /dev/urandom|wc -l 1012
Looks like a classic file resource leak. After restarting the process, no new /dev/urandom file resources are open. Making two authentication requests opens up two /dev/urandom. I'm fairly new to FreeRadius. Should I expect /dev/urandom file descriptors to be pooled between requests? Or should they be closed between requests? Anyone with input whether this is a bug in FreeRadius or simply a misconfiguration on my part?
Also, let me know if you'd like me to debug this further.
You’re welcome to for your own edification, but that version of FreeRADIUS is EOL, and even if it does turn out to be an issue, due to the extensive refactoring in version v3.0.0 it’s unlikely that it’ll still be present. PAMs are notorious for resource leaks. It might be an idea to upgrade and use the official FreeRADIUS yubikey/yubico module instead. We do not support or recommend the use of Yubico’s modules over the ones that ship with the server. -Arran