Some time ago, an update for the PAM.d service was released on Linux Debian 12. Updates for such services are extremely rare, and after the update, long delays were observed when attempting to log in:
ProFTPd
In our case, it runs through the xinetd service and is not a standalone service, meaning authorization is handled through PAM.d.
SSH
The option in the configuration file was enabled by default:
UsePAM yes
Thus, both services depend on PAM.d settings.
Solution
The cause of the long delays was the presence of the line:
session optional pam_systemd.so
in the configuration file
/etc/pam.d/common-session
The file should look like this without that line:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
# end of pam-auth-update config
After making these changes, authorization started working quickly again without delays.
Related article: Causes and Troubleshooting Long Delays When Connecting via SSH
No Comments Yet