pam_access Configuration Treats TTY Names as Hostnames
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pam (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Comments in PAM service files at /etc/pam.d/* suggest a line to uncomment to configure complicated authorization rules using pam_access (which in turn is configured by /etc/security/
/etc/pam.d/sshd:
# Uncomment and edit /etc/security/
# access limits that are hard to express in sshd_config.
# account required pam_access.so
/etc/pam.d/login:
# Uncomment and edit /etc/security/
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
Comments in /etc/security/
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."),
I wanted to configure a user on my server, 'localadmin', who can only log in on the console and not via any network service and tried to achieve this using pam_access as follows:
I uncommented the default ‘account required pam_access.so’ lines in /etc/pam.d/sshd and /etc/pam.d/login.
I add the following in /etc/security/
+:localadmi
-:localadmi
This seems to work. Login via SSH fails and succeeds on the console, as expected.
However, /var/log/auth.log suspiciously indicates it is treating tty1 as a hostname during the failed SSH attempt:
Dec 15 01:28:12 server sshd[5868]: pam_access(
Dec 15 01:28:12 server sshd[5868]: pam_access(
It is confirmed to be doing DNS lookups for 'tty1' in the search domain during the login attempt:
admin@server:~$ resolvectl status eth0
...
DNS Servers: 10.0.0.2
DNS Domain: example.com
admin@server:~$ sudo tcpdump -i eth0 -n port 53
01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45)
01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] AAAA? tty1.example.com. (45)
01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95)
01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95)
I configured my DNS service to resolve hostname 'tty1' to the IP address the SSH connection originates from:
admin@server:~$ dig +short tty1.example.com
10.0.0.101
SSH access is then unexpectedly allowed:
user@
inet 10.0.0.101/24 ...
user@
localadmin@
localadmin@
I think the local origins should be completely separated from network origins in /etc/security/
Other requested bug report info:
root@server:~# lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
root@server:~# apt-cache policy pam
N: Unable to locate package pam
root@server:~# apt-cache policy libpam-modules
libpam-modules:
Installed: 1.4.0-11ubuntu2.3
Candidate: 1.4.0-11ubuntu2.3
Version table:
*** 1.4.0-11ubuntu2.3 500
500 http://
500 http://
100 /var/lib/
1.
500 http://
| Seth Arnold (seth-arnold) wrote | #1 |
| Steve Benson (sbhl) wrote | #2 |
| Seth Arnold (seth-arnold) wrote | #3 |
| information type: | Private Security → Public Security |
| Changed in pam (Ubuntu): | |
| status: | New → Confirmed |
Steve, nice find. I haven't really thought much about this file, it always seemed a bit of a relic of the time when there were individually-wired serial connections to different offices.
I believe for your actual use case, "LOCAL" is the better choice.
As for the rest of it, it feels like the solution would be removing DNS / names from the interface entirely. That's a pretty drastic change and probably not suitable.
Can we make this bug public? I believe it'd be easier to discuss with others if it were public.
Thanks