Bug#543941: Ping! OpenVPN with LDAP+TLS authentication runs into file exhaustion

Lars Ellenberg lars.ellenberg at linbit.com
Sun Nov 8 09:13:52 UTC 2009

On Thu, Nov 05, 2009 at 10:43:29AM +0100, Simon Josefsson wrote:
> Lars Ellenberg <lars.ellenberg at linbit.com> writes:
> > OpenVPN with LDAP+TLS authentication runs into file exhaustion
> >
> >> Issue is only happening when LDAP is used with TLS support. On every
> >> authentication, a file handle to /dev/urandom is created but never
> >> released.
> >> 
> >> Because the handle to /dev/urandom is never released, after some times
> >> the service had been running, users will fail to authentication because
> >> the backend is not able to open new file handles on /dev/urandom.
> >
> > As there has been absolutely no reaction yet, maybe you just missed it.
> > Please have a look again at
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543941#36
> Did you miss this discussion?
> http://thread.gmane.org/gmane.comp.encryption.gpg.libgcrypt.devel/2125


> In short, dlopen/dlclose usage of libgcrypt is not supported.

No. In short, libgcrypt is aware that they don't cleanup properly
on dlclose, and is "too lazy" to provide proper cleanup handlers
for this (perceived as) rare usecase.

> Possibly GnuTLS could use Nettle as a the crypto library instead of
> libgcrypt.  I'll look into this.


In case that turns out to be too cumbersome for a short term fix, may I suggest
to simply add that "get an extra reference on libgcrypt" hack to a place of
your chosing.

It is a valid workaround: the authenticator process of openvpn
is a long lived process.
Pam may then dlopen/dlclose in pairs as much as it likes, because of the extra
reference, libgcrypt will not reach a useage count of zero, will not be
unloaded, will not reach the FIPS "shutdown" state but remain operational.
And the best of it: will not leak file descriptors to urandom.

BTW: you may also document this workaround as an easy ad-hoc hot-fix:

	LD_PRELOAD=/lib/security/pam_ldap.so  openvpn ...

which does exactly the same: get some extra references on the
libraries involved.

: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com

DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.

More information about the Pkg-gnutls-maint mailing list