openssh bugs - Mar 2025 - [Bug 3799] New: Slow login with PAM enabled when connecting to sshd socket listening on Guest Vsock

https://bugzilla.mindrot.org/show_bug.cgi?id=3799

            Bug ID: 3799
           Summary: Slow login with PAM enabled when connecting to sshd
                    socket listening on Guest Vsock
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: assamhaa at gmail.com

Hello, I've been trying to ssh (using password) through VSock into a
guest VM (Almalinux 9) with PAM enabled by default. I'm consistently
getting delays for every before PAM-related sshd log message. Disabling
PAM makes the authentication instantaneous.

Also, hopping through VSock to TCP to sshd (using nc or socat) doesn't
suffer from the delay too, so PAM is fine as long as the previous hop
right before it is not VSock.

PAM takes a while to traverse the auth, account, and session stages
even with the below minimal configuration of /etc/pam.d/sshd:

auth       sufficient   pam_permit.so
account    sufficient   pam_permit.so
password   include      password-auth
session    sufficient   pam_permit.so

You can find more details on this issue opened on the linux-pam
maintainers
https://github.com/linux-pam/linux-pam/issues/885#issuecomment-2700963339

I'm running an aarch64 Almalinux 9 guest on an aarch64 fedora 41

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3799

assamhaa at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |assamhaa at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3799

assamhaa at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|Other                       |ARM64

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3799

signups at svenstaro.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |signups at svenstaro.org

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3799

xenia <xenia at ccs.neu.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |xenia at ccs.neu.edu

--- Comment #1 from xenia <xenia at ccs.neu.edu> ---
As far as I can tell, the root cause of this is that sshd sets
PAM_RHOST to "UNKNOWN" (literal string) when the socket is non-TCP/IP,
and then PAM tries to do a DNS lookup for "UNKNOWN" several times.
This
seems like a genuine sshd bug to me. It should not be sending an
invalid hostname to pam via PAM_RHOST if it doesn't actually know the
remote hostname. I can try to write up a patch if there's interest.
(Otherwise, I resolved this issue currently with a hack -- if there's
an entry for "UNKNOWN" in /etc/hosts everything is fine and there are
no delays)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.