Kallithea issues archive

Issue #180: pam authentication very slow + fix

Reported by: Silas De Munck
State: resolved
Created on: 2015-12-18 10:48
Updated on: 2018-05-19 15:21


Using pam authentication with Mercurial over HTTP is very slow.

I think this is caused by the fact that mercurial always tries to perform an operation anonymously and after that, tries authentication based on username.

A simple 'hg pull', results in 4 calls to the pam module (slow) to authenticate user '' (empty string) + 4 normal calls with username. The empty string also skips the cache in auth_pam.py. And the cache TTL is only 4 seconds, therefore the cache is also invalid most of the time for the valid calls with username. I think the pam module should not call pam for an empty user?

FIX: At the beginning of the auth(...) function in auth_pam.py add the following:

        # abort if empty username
        if not username:
            return None

Result of 'time hg pull'

*Before: 17s

*After: 3s



Comment by Silas De Munck, on 2015-12-18 10:49

Comment by Silas De Munck, on 2015-12-18 10:55

Comment by Mads Kiilerich, on 2015-12-22 13:50


But how come reducing the number of pam auth calls by a factor 2 could reduce the time by a factor 5?

Comment by Silas De Munck, on 2015-12-22 14:25

I think this is because of the cache TTL, this is by default 4 seconds. The numerous calls seem to take longer than that, invalidating the cache, hence even more pam calls?

Comment by Thomas De Schampheleire, on 2018-05-19 15:21

Fixed with 74e669d8a479