pam_access.so considers tty* names as hostnames #834
Description
Yes I have seen #345 and #711, and I am using pam 1.6.1.
$ pacman -Q pam openssh
pam 1.6.1-3
openssh 9.8p1-2
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-remote-login
account required pam_access.so
account include system-remote-login
password include system-remote-login
session include system-remote-login
The sample access.conf shipped with pam contains the following
linux-pam/modules/pam_access/access.conf
Lines 81 to 82 in 63ba6e4
If I uncomment this configuration, I can see that pam_access considers every token a hostname.
trace of getaddrinfo calls in sshd during login
$ cat gai.bt
#!/bin/bpftrace
uprobe:/usr/lib/libc.so.6:getaddrinfo /arg0 != 0/
{
@start[tid] = nsecs;
@host[tid] = str(arg0);
}
uretprobe:/usr/lib/libc.so.6:getaddrinfo /@start[tid] > 0/
{
$diff = nsecs - @start[tid];
printf("%s %s %d ms\n", comm, @host[tid], $diff/1e6);
}
END
{
clear(@start);
clear(@host);
}
$ grep -v '^#' /etc/security/access.conf
+:rpigott:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
EDIT: system-remote-login already included pam_access.so, so it was accidentally included twice here and we see all the host lookups duplicated:
$ sudo bpftrace gai.bt # login as rpigott from my laptop
Attaching 3 probes...
sshd-session cron 2 ms
sshd-session crond 1 ms
sshd-session :0 1 ms
sshd-session tty1 1 ms
sshd-session tty2 1 ms
sshd-session tty3 0 ms
sshd-session tty4 0 ms
sshd-session tty5 0 ms
sshd-session tty6 0 ms
sshd-session cron 0 ms
sshd-session crond 0 ms
sshd-session :0 0 ms
sshd-session tty1 0 ms
sshd-session tty2 0 ms
sshd-session tty3 0 ms
sshd-session tty4 0 ms
sshd-session tty5 0 ms
sshd-session tty6 0 ms
^C
So we see dns lookups for cron, crond, :0, and the tty names. To me this is not expected behavior — the documentation makes it sound as if at least the tty* values are intended only to match tty names, and my intention was not for any of these to be considered hostnames but only service/tty names.
I really think there should probably be a configuration that only permits qualified hostnames, and tokens should then be consider hostnames only if they contain a dot, otherwise I will accidentally permit hosts named "tty*".