Whats `/usr/sbin/unix_chkpwd root nullok`

Jeeves_

Jeeves_

Member
Proxmox Subscriber
Jan 7, 2025
26
30
13
Ede, NL
www.tuxis.nl
Hi,

Playing around with S3 backups and I see a lot of `/usr/sbin/unix_chkpwd root nullok` scrolling by. What are they used for? It seems to be combined with S3 only?
 
  • Like
Reactions: Johannes S
Hi,
this does not ring a bell..

Can you please share further details, e.g. where you see these messages, what operations are performed when this happens?

Checked the systemd journal of one of my test instances and there I do see unix_chkpwd messages only in relation to authentication failures with the PBS API. But with e.g. password check failed for user (root)
 
I think I found it. This is a test-instance which authenticates as root@pam. It looks like every call reauthenticates against pam, which runs `/usr/sbin/unix_chkpwd root nullok` in turn.

Sounds that it could use some caching, but caching and authentication... :)
 
  • Like
Reactions: Johannes S
Jeeves_ said:
I think I found it. This is a test-instance which authenticates as root@pam. It looks like every call reauthenticates against pam, which runs `/usr/sbin/unix_chkpwd root nullok` in turn.
Click to expand...
Did you change the pam configuration, these messages do not show up here?

Jeeves_ said:
Sounds that it could use some caching, but caching and authentication... :)
Click to expand...
There already is user caching in place, e.g. see [0]. That's why I was wondering what operations are being performed when you see this.

Further, please note that you can use API tokens or PBS relam instead of pam authentication, if that is what you want.


[0] https://git.proxmox.com/?p=proxmox-...97c318efd69c69140c88bf58008f2dfcf;hb=HEAD#l91
 
It happens during a verify of a local datastore too:


Code: 
root@pbs-s3-demo:~/straces# proxmox-backup-manager task list
┌──────────────────────────┬─────────┬───────────────────────────────────────────────────────────────────────────────┬─────────┐
│ starttime                │ endtime │ upid                                                                          │ status  │
╞══════════════════════════╪═════════╪═══════════════════════════════════════════════════════════════════════════════╪═════════╡
│ Wed Sep 24 10:50:52 2025 │         │ UPID:pbs-s3-demo:00172EA0:027F3BA5:00000003:68D3B0EC:verify:backups:root@pam: │ running │
└──────────────────────────┴─────────┴───────────────────────────────────────────────────────────────────────────────┴─────────┘
root@pbs-s3-demo:~/straces# grep pwd * | wc -l
283
root@pbs-s3-demo:~/straces# strace -ff -p 1519251 -o chkpwd -s0^C
root@pbs-s3-demo:~/straces# ps auxww | grep 1519251
root     1519251  2.2  0.3 729248 26744 ?        Ssl  10:50   0:06 /usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-api
 
Is it maybe because the owner of the backups is root@pam?
 
PBS does not directly involve this, so as already stated my guess is you have some configuration changes for the pam modules triggering this, see also https://linux.die.net/man/8/pam_unix

Jeeves_ said:
Is it maybe because the owner of the backups is root@pam?
Click to expand...
It is most likely triggered by the pam authentication of the api calls, yes.
 
There have been no changes to this machine, whatsoever. It is a install as basic as it gets.
 
what's is your proxmox-backup-manager version --verbose? And please specify where you see this errors. In the systemd journal or somewhere else?

Edit: Did test if I see these messages on a fresh PBS4 install from the iso when backing up a CT using root@pam as auth user to a local datastore. However no such messages in the systemd journal. Can you please share the exact steps you are taking to trigger this?
 
Last edited:
Code: 
root@pbs-s3-demo:~# proxmox-backup-manager version --verbose
proxmox-backup                      4.0.0         running kernel: 6.14.11-2-pve
proxmox-backup-server               4.0.15-1      running version: 4.0.15
proxmox-kernel-helper               9.0.4
proxmox-kernel-6.14.11-2-pve-signed 6.14.11-2
proxmox-kernel-6.14                 6.14.11-2
proxmox-kernel-6.14.11-1-pve-signed 6.14.11-1
proxmox-kernel-6.14.8-2-pve-signed  6.14.8-2
ifupdown2                           3.3.0-1+pmx10
libjs-extjs                         7.0.0-5
proxmox-backup-docs                 4.0.15-1
proxmox-backup-client               4.0.15-1
proxmox-mail-forward                1.0.2
proxmox-mini-journalreader          1.6
proxmox-offline-mirror-helper       0.7.2
proxmox-widget-toolkit              5.0.5
pve-xtermjs                         5.5.0-2
smartmontools                       7.4-pve1
zfsutils-linux                      2.3.4-pve1

Please note that I do not see this in a journal, I see the process running (often, with different PID's and a relative high amount of CPU usage).
 
Jeeves_ said:
Please note that I do not see this in a journal, I see the process running (often, with different PID's and a relative high amount of CPU usage).
Click to expand...
Cannot reproduce the high load there either, but that might be related to password hashing on login. Is this test machine the one you mention here? https://forum.proxmox.com/threads/t...-backup-server-beta-service.76320/post-801635

You could see if the use of API tokens or PBS realm reduces the load in that case.

Edit: How many calls to /api2/json/access/ticket you see in the access logs at /var/log/proxmox-backup/api/access.log?
 
Last edited:
You must log in or register to reply here.
Top Bottom