[RADIATOR] AuthHEIMDALDIGEST and defunct kdigest processes
Johan Wassberg
jocar at su.se
Thu Jan 31 13:10:48 UTC 2019
Hi!
We are using Radiator with AuthHEIMDALDIGEST and recently upgraded from 4.15 to
4.22. We have noticed that 4.22 is leaving a lot of defunct `kdigest` processes
which over time is causing Radiator to crash due to trouble forking new
`kdigest`s.
Found that the AuthHEIMDALDIGEST has been modified between the versions
and the new version runs `waitpid` on the child process. Our guess is
that there is a race-condition between the file descriptors closing
and the child returning `SIGCHLD` which make `waitpid` have no effect at
all.
To test this we modified AuthHEIMDALDIGEST.pm:
```
--- AuthHEIMDALDIGEST.pm 2019-01-31 10:51:41.860109152 +0100
+++ AuthHEIMDALDIGEST.pm.mod 2019-01-31 10:51:54.949232773 +0100
@@ -239,7 +239,10 @@
$self->log($main::LOG_ERR, "AuthHEIMDALDIGEST Unexpected output from kdigest: $output.", $p);
}
close($read); close($write);
- waitpid($child_pid, WNOHANG); # Reap it
+ my $return = waitpid($child_pid, WNOHANG); # Reap it
+ if ($return <= 0) {
+ $self->log($main::LOG_ERR, "AuthHEIMDALDIGEST kdigest_digest waitpid missed child ($child_pid), waitpid returned $return");
+ }
return 1 if ($status && $status eq "ok");
return 0;
@@ -294,7 +297,10 @@
$self->log($main::LOG_ERR, "AuthHEIMDALDIGEST Unexpected output from kdigest: $output.", $p);
}
close($read); close($write);
- waitpid($child_pid, WNOHANG); # Reap it
+ my $return = waitpid($child_pid, WNOHANG); # Reap it
+ if ($return <= 0) {
+ $self->log($main::LOG_ERR, "AuthHEIMDALDIGEST kdigest_challenge waitpid missed child ($child_pid), waitpid returned $return") ;
+ }
unless ($context->{kdigest_challenge} && $context->{kdigest_opaque})
{
```
That gives the following debug output:
```
Thu Jan 31 09:39:36 2019: DEBUG: Handling request with Handler 'NAS-Identifier=/Example/, RecvFromAddress=/^127.0.0.1/', Identifier ''
Thu Jan 31 09:39:36 2019: DEBUG: SessINTERNAL: Deleting session for jocar, 127.0.0.1,
Thu Jan 31 09:39:36 2019: DEBUG: Handling with Radius::AuthHEIMDALDIGEST: InnerEAP
Thu Jan 31 09:39:36 2019: DEBUG: Radius::AuthHEIMDALDIGEST looks for match with jocar [jocar]
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST challenge command: /usr/sbin/kdigest digest-server-init --type=CHAP --kerberos-realm=EXAMPLE.COM
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST challenge command output: type=CHAP
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST challenge command output: server-nonce=4e62aecb9f98579ad93b4ea84223b9d6
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST challenge command output: identifier=3A
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST challenge command output: opaque=4e62aecb9f98579ad93b4ea84223b9d64e62aecb9f98579ad93b4ea84223b9d6
Thu Jan 31 09:39:36 2019: ERR: AuthHEIMDALDIGEST kdigest_challenge waitpid missed child (22311), waitpid returned 0
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST digest command: /usr/sbin/kdigest digest-server-request --type=CHAP --username=jocar --opaque=4e62aecb9f98579ad93b4ea84223b9d64e62aecb9f98579ad93b4ea84223b9d6 --server-identifier=01 --server-nonce=4e62aecb9f98579ad93b4ea84223b9d6 --client-response=4e62aecb9f98579ad93b4ea84223b9d6 --kerberos-realm=EXAMPLE.COM
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST digest command output: status=failed
Thu Jan 31 09:39:36 2019: DEBUG: AuthHEIMDALDIGEST digest command output: tickets=no
Thu Jan 31 09:39:36 2019: ERR: AuthHEIMDALDIGEST kdigest_digest waitpid missed child (22312), waitpid returned 0
Thu Jan 31 09:39:36 2019: DEBUG: Radius::AuthHEIMDALDIGEST REJECT: AuthBy HEIMDALDIGEST Password check failed: jocar [jocar]
Thu Jan 31 09:39:36 2019: DEBUG: AuthBy HEIMDALDIGEST result: REJECT, AuthBy HEIMDALDIGEST Password check failed
Thu Jan 31 09:39:36 2019: INFO: Access rejected for jocar: AuthBy HEIMDALDIGEST Password check failed
```
One solution could be to run `waitpid` with "-1" in a loop instead of
the real pid and therfor handling all childs that sent `SIGCHLD` in the
next authentication. Another soution could be to remove `WNOHANG` making
`waitpid` block until the child returns. Not sure if that has any
performance issues or why you implemented `waitpid` with `WNOHANG` from
the beginning.
Let me know if there is anything else I can provide to easier resolve
this issue.
--
jocar
More information about the radiator
mailing list