[Bug 2046526] Re: pam_access Configuration Treats TTY Names as Hostnames

Seth Arnold 2046526 at bugs.launchpad.net
Sat Dec 16 00:55:39 UTC 2023 

I wondered if it would look up LOCAL too but figured the reference in
the manual to pam_get_item(3) meant that it would special case this one
without any lookups. I should have looked at the source instead.

I like your idea of using two different files for local vs networked
services. (Though that doesn't exactly help with su or sudo, since they
can be used by both.)

It's not ideal but it's straightforward.

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2046526

Title:
  pam_access Configuration Treats TTY Names as Hostnames

Status in pam package in Ubuntu:
  New

Bug description:
  Comments in PAM service files at /etc/pam.d/* suggest a line to
  uncomment to configure complicated authorization rules using
  pam_access (which in turn is configured by /etc/security/access.conf):

  /etc/pam.d/sshd:

      # Uncomment and edit /etc/security/access.conf if you need to set complex
      # access limits that are hard to express in sshd_config.
      # account  required     pam_access.so

  /etc/pam.d/login:

      # Uncomment and edit /etc/security/access.conf if you need to
      # set access limits.
      # (Replaces /etc/login.access file)
      # account  required       pam_access.so

  Comments in /etc/security/access.conf indicate the origin in this file
  can be a TTY or domain name:

      # The third field should be a list of one or more tty names (for
      # non-networked logins), host names, domain names (begin with "."),

  I wanted to configure a user on my server, 'localadmin', who can only
  log in on the console and not via any network service and tried to
  achieve this using pam_access as follows:

  I uncommented the default ‘account required pam_access.so’ lines in
  /etc/pam.d/sshd and /etc/pam.d/login.

  I add the following in /etc/security/access.conf intending to allow
  user 'localadmin' to only log in on the console:

      +:localadmin:tty1
      -:localadmin:ALL

  This seems to work. Login via SSH fails and succeeds on the console,
  as expected.

  However, /var/log/auth.log suspiciously indicates it is treating tty1
  as a hostname during the failed SSH attempt:

      Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): cannot resolve hostname "tty1"
      Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): access denied for user `localadmin' from `10.0.0.101'

  It is confirmed to be doing DNS lookups for 'tty1' in the search
  domain during the login attempt:

      admin at server:~$ resolvectl status eth0
      ...
         DNS Servers: 10.0.0.2
          DNS Domain: example.com
      admin at server:~$ sudo tcpdump -i eth0 -n port 53
      01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45)
      01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] AAAA? tty1.example.com. (45)
      01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95)
      01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95)

  I configured my DNS service to resolve hostname 'tty1' to the IP
  address the SSH connection originates from:

      admin at server:~$ dig +short tty1.example.com
      10.0.0.101

  SSH access is then unexpectedly allowed:

      user at clienthost:~$ ip -4 a show dev eth0
          inet 10.0.0.101/24 ...
      user at clienthost:~$ ssh localadmin at 10.0.0.42
      localadmin at 10.0.0.42's password: 
      localadmin at server:~$ 

  I think the local origins should be completely separated from network
  origins in /etc/security/access.conf somehow (maybe with separate
  access.conf files used for local and network PAM services).

  Other requested bug report info:

  root at server:~# lsb_release -rd
  Description:    Ubuntu 22.04.3 LTS
  Release:        22.04
  root at server:~# apt-cache policy pam
  N: Unable to locate package pam
  root at server:~# apt-cache policy libpam-modules
  libpam-modules:
    Installed: 1.4.0-11ubuntu2.3
    Candidate: 1.4.0-11ubuntu2.3
    Version table:
   *** 1.4.0-11ubuntu2.3 500
          500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
          100 /var/lib/dpkg/status
       1.4.0-11ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2046526/+subscriptions

More information about the foundations-bugs mailing list