[Bug 2046526] Re: pam_access Configuration Treats TTY Names as Hostnames
Marc Deslauriers
2046526 at bugs.launchpad.net
Fri Jan 19 19:56:41 UTC 2024
** Changed in: pam (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2046526
Title:
pam_access Configuration Treats TTY Names as Hostnames
Status in pam package in Ubuntu:
Confirmed
Bug description:
Comments in PAM service files at /etc/pam.d/* suggest a line to
uncomment to configure complicated authorization rules using
pam_access (which in turn is configured by /etc/security/access.conf):
/etc/pam.d/sshd:
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
/etc/pam.d/login:
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
Comments in /etc/security/access.conf indicate the origin in this file
can be a TTY or domain name:
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."),
I wanted to configure a user on my server, 'localadmin', who can only
log in on the console and not via any network service and tried to
achieve this using pam_access as follows:
I uncommented the default ‘account required pam_access.so’ lines in
/etc/pam.d/sshd and /etc/pam.d/login.
I add the following in /etc/security/access.conf intending to allow
user 'localadmin' to only log in on the console:
+:localadmin:tty1
-:localadmin:ALL
This seems to work. Login via SSH fails and succeeds on the console,
as expected.
However, /var/log/auth.log suspiciously indicates it is treating tty1
as a hostname during the failed SSH attempt:
Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): cannot resolve hostname "tty1"
Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): access denied for user `localadmin' from `10.0.0.101'
It is confirmed to be doing DNS lookups for 'tty1' in the search
domain during the login attempt:
admin at server:~$ resolvectl status eth0
...
DNS Servers: 10.0.0.2
DNS Domain: example.com
admin at server:~$ sudo tcpdump -i eth0 -n port 53
01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45)
01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] AAAA? tty1.example.com. (45)
01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95)
01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95)
I configured my DNS service to resolve hostname 'tty1' to the IP
address the SSH connection originates from:
admin at server:~$ dig +short tty1.example.com
10.0.0.101
SSH access is then unexpectedly allowed:
user at clienthost:~$ ip -4 a show dev eth0
inet 10.0.0.101/24 ...
user at clienthost:~$ ssh localadmin at 10.0.0.42
localadmin at 10.0.0.42's password:
localadmin at server:~$
I think the local origins should be completely separated from network
origins in /etc/security/access.conf somehow (maybe with separate
access.conf files used for local and network PAM services).
Other requested bug report info:
root at server:~# lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
root at server:~# apt-cache policy pam
N: Unable to locate package pam
root at server:~# apt-cache policy libpam-modules
libpam-modules:
Installed: 1.4.0-11ubuntu2.3
Candidate: 1.4.0-11ubuntu2.3
Version table:
*** 1.4.0-11ubuntu2.3 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1.4.0-11ubuntu2 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2046526/+subscriptions
More information about the foundations-bugs
mailing list