PAM Module Patch and Feature
fcusack at fcusack.com
Sat Mar 24 00:23:41 CET 2007
On March 23, 2007 4:37:42 PM -0600 David Mitchell <mitchell at ucar.edu> wrote:
> Frank Cusack wrote:
>> On March 22, 2007 4:27:44 PM -0600 David Mitchell <mitchell at ucar.edu>
>>> I think I figured out the source for the 'odd' behavior I was seeing. In
>>> a nutshell, my timeout on the PAM module side was shorter than the delay
>>> imposed by the freeradius server for bad passwords. I need to play
>>> around more and find out what a 'safe' value is. Do you happen to know
>>> where in the freeradius/otpd/lsmd chain the bad password delay is being
>>> imposed? I can probably find it, but I'm guessing that you know.
>> The radiusd.conf 'reject_delay' option. I always set this to 0.
> Here's the really weird part. If I set reject_delay to 0, it works just
> like I expect. But if I set it to some value like 1, which is the
> default, it delays for about 30 seconds.
That sounds suspicously like the cleanup delay kicking in.
> Unless I run radiusd with -X to
> see what's going on in which case it works as expected with a one second
> delay. I'll keep digging into the cause to see if it's something in my
> build or what.
> It seems like if this was a common bug it would be reported by now, but
> I did a quick search for reject_delay in the bug database and didn't
> find anything. I'll see if I can figure it out.
That would be awesome.
It's possible that the reject_delay only recently broke.
More information about the Freeradius-Devel