[systemd-devel] pam_systemd.so indirectly calling pam_acct_mgmt
Jakub Hrozek
jakub.hrozek at posteo.se
Fri Apr 10 07:56:25 PDT 2015
Hi,
I was looking into SSSD performance-related issues recently and I
noticed that on a fairly stock Fedora installation, the pam_sss account
phase is called twice when a user logs in via ssh. Once the calling
service is SSH, which is totally expected, but then the account phase is
invoked also by "systemd-user". Looking at the systemd-user PAM service
on Fedora, it includes system-auth for account and session, so the
whole SSSD access control is called again.
We do have some logic in SSSD to not call into the PAM engine too often
as long as the calling peer is the same, but in this case the PAM
services and calling processes are different, so from SSSD point of
view, it's a different access check which needs to be run in full. I
understand that systemd-user is only called when a new user session is
being created, concurrent logins don't call systemd-user it seems, but
still, there's some performance penalty.
I'm wondering why does systemd-user call the account stack at all? I can
understand the session phase, but wouldn't the account phase be already
checked by whoever was logging in the user (ssh, gdm, ...). And more
generally, could we optimize the account phase somewhat on the SSSD side
so the full access control would not be run? Is there some heuristic we
can do?
Thanks!
More information about the systemd-devel
mailing list