PAM authentication hangs because of incorrect DNS settings but who is even triggering this lookup?

Question

Recently I ran into the issue that an application which is performing PAM authentication was hanging for up to 20 seconds before it reported whether PAM authentication was successful or not. Other applications performing PAM authentication via exactly the same set PAM modules (identical files in /etc/pam.d!) didn't have such a problem.

After some investigations I found out that the difference was that this one application was setting PAM_RHOST to a value prior to performing authentication whereas the other applications were not. I also discovered that the problem would not occur if the machine was not connected to any network. In the end, it all boiled down to incorrect DNS settings on the machine. Apparently some DNS lookup was hanging and fixing the DNS setup also made the problem vanish.

What I don't quite understand about all this is who is triggering that DNS lookup in the first place? None of the PAM modules I used will ever trigger a DNS lookup and PAM itself also doesn't seem to trigger one in its code. Not knowing where the lookup comes from is driving me nuts!

Answer 1

Well, after an extensive search through lots of source code, I finally found the cause of this lookup.

If you look at the source code of PAM, especially the file pam_audit.c, then there is function named _pam_audit_writelog(...) and inside this function, the following call is being made:

  rc = audit_log_acct_message (audit_fd, type, NULL, buf,
       (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
    -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );

pamh->rhost is the storage for the PAM_RHOST item. Important is that the next argument after pamh->rhost is actually NULL.

This is a function of the Linux Auditing Framework and the function signature of the function in question is:

int audit_log_acct_message(int audit_fd, int type, const char *pgname,
    const char *op, const char *name, unsigned int id, 
    const char *host, const char *addr, const char *tty, int result)

So as you can see, a host is given to the function but addr is NULL. In that case, this function will try to resolve host via DNS resolution to obtain the missing address.

Thus if a program is using PAM and the program is setting the PAM_RHOST item, PAM will indirectly trigger a DNS lookup through the Auditing Framework. As this all happens synchronously, an incorrectly configured DNS setup (e.g. multiple unreachable DNS servers and/or many search domains) can cause PAM authentication to hang for quite a while before the DNS lookup will finally fail with error but that error is ignored (the lookup is just best effort) and the login is stored without an address; thus the failure of the lookup has no effect on PAM authentication either.