Skip to content

Large /var/log/btmp file wrecks PAM performance and causes 2-3 seconds delay in su/sudo/ssh login. #270

Open
@PauluzzNL

Description

@PauluzzNL

First and foremost, my apologies if this is placed incorrectly.

I just spend a day figuring out why su to another user had an unexplainable 2-3 seconds delay. Similar delays applied to connecting to the server with SSH.

Example:
su <someuser> -c "whoami" could take between 2-3 seconds.

With
strace -o trace.log su <someuser> -c "whoami I was able to get more information.

After going back and forth a bit I found the following lines in the strace

     0.000053 openat(AT_FDCWD, "/var/log/btmp", O_RDONLY) = 7
     0.000065 read(7, "\6\0\0\0T\355#\0ssh:notty\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384
     0.000059 read(7, "\6\0\0\0T\355#\0ssh:notty\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384
     0.000056 read(7, "\6\0\0\0k\355#\0ssh:notty\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384
     0.000056 read(7, "\6\0\0\0n\355#\0ssh:notty\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384

and this continued for thousands of lines. After emptying the /var/log/btmp file both sudo and an SSH connection was blazing fast again.

For such operations, it does not make sense that it is required to load/read the whole file in order to do this operation?

I'm running CentOS Linux release 8.2.2004 (Core)
Kernel 4.18.0-193.19.1.el8_2.x86_64.

No changes to default settings.

Of course I can provide more information if required.

Keywords: var log btmp, slow ssh, slow sudo, slow su. seconds delay with su to user.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions