[systemd-devel] pam_systemd.so indirectly calling pam_acct_mgmt

Jakub Hrozek jakub.hrozek at posteo.se
Fri Apr 10 07:56:25 PDT 2015


I was looking into SSSD  performance-related issues recently and I 
noticed that on a fairly stock Fedora installation, the pam_sss account 
phase is called twice when a user logs in via ssh. Once the calling 
service is SSH, which is totally expected, but then the account phase is 
invoked also by "systemd-user".  Looking at the systemd-user PAM service 
on Fedora, it  includes system-auth for account and session, so the 
whole SSSD access control is called again.

We do have some logic in SSSD to not call into the PAM engine too often 
as long as the calling peer is the same, but in this case the PAM 
services and calling processes are different, so from SSSD point of 
view, it's a different access check which needs to be run in full. I 
understand that systemd-user is only called when a new user session is 
being created, concurrent logins don't call systemd-user it seems, but 
still, there's some performance penalty.

I'm wondering why does systemd-user call the account stack at all? I can 
understand the session phase, but wouldn't the account phase be already 
checked by whoever was logging in the user (ssh, gdm, ...). And more 
generally, could we optimize the account phase somewhat on the SSSD side 
so the full access control would not be run? Is there some heuristic we 
can do?


More information about the systemd-devel mailing list