[Bug 2046526] Re: pam_access Configuration Treats TTY Names as Hostnames
D Ledford
2046526 at bugs.launchpad.net
Fri Feb 14 19:11:25 UTC 2025
I'm seeing this issue as well, but only on my Ubuntu 20.04/22.04 boxes.
My EL8/9 boxes with the same access.conf setup are not seeing this issue.
Logs from pam_access in debug mode on an Ubuntu 20.04 box given below but my 22.04 systems do the same thing.
My EL8/9 system logs look the same sans the 'cannot resolve hostname "LOCAL"' error message.
Seems to be releated to these 2 bugs:
https://github.com/linux-pam/linux-pam/issues/834
https://github.com/linux-pam/linux-pam/issues/711
The EL8 PAM package includes these patches to resolve this issue:
https://github.com/linux-pam/linux-pam/commit/08992030c56c940c0707ccbc442b1c325aa01e6d
https://github.com/linux-pam/linux-pam/commit/ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13
https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5
https://github.com/linux-pam/linux-pam/commit/4ba3105511c3a55fc750a790f7310c6d7ebfdfda
https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
access.conf:
+ : root : LOCAL
+ : sudo : LOCAL
+ : agroup : 192.168.0.0/16
+ : agroup2 : 192.168.100.0/24
- : ALL : ALL EXCEPT LOCAL
pam_access.so debug:
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): login_access: user=auser, from=192.168.19.2, file=/etc/security/access.conf
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): line 1: + : root : LOCAL
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= root , item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match: tok=root, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=root, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match=0, "auser"
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): line 2: + : sudo : LOCAL
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= sudo , item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match: tok=sudo, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=sudo, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match=1, "auser"
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= LOCAL, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match: tok=LOCAL, item=192.168.19.2
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=LOCAL, item=192.168.19.2
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): network_netmask_match: tok=LOCAL, item=192.168.19.2
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): cannot resolve hostname "LOCAL"
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match=0, "192.168.19.2"
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): line 3: + : agroup : 192.168.0.0/16
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= agroup , item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match: tok=agroup, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=agroup, item=auser
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match=1, "auser"
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= 192.168.0.0/16
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match: tok=192.168.0.0/16, item=192.168.19.2
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=192.168.0.0/16, item=192.168.19.2
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): network_netmask_match: tok=192.168.0.0/16, item=192.168.19.2
Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match=1, "192.168.19.2"
** Bug watch added: github.com/linux-pam/linux-pam/issues #834
https://github.com/linux-pam/linux-pam/issues/834
** Bug watch added: github.com/linux-pam/linux-pam/issues #711
https://github.com/linux-pam/linux-pam/issues/711
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2046526
Title:
pam_access Configuration Treats TTY Names as Hostnames
Status in pam package in Ubuntu:
Confirmed
Bug description:
Comments in PAM service files at /etc/pam.d/* suggest a line to
uncomment to configure complicated authorization rules using
pam_access (which in turn is configured by /etc/security/access.conf):
/etc/pam.d/sshd:
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
/etc/pam.d/login:
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
Comments in /etc/security/access.conf indicate the origin in this file
can be a TTY or domain name:
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."),
I wanted to configure a user on my server, 'localadmin', who can only
log in on the console and not via any network service and tried to
achieve this using pam_access as follows:
I uncommented the default ‘account required pam_access.so’ lines in
/etc/pam.d/sshd and /etc/pam.d/login.
I add the following in /etc/security/access.conf intending to allow
user 'localadmin' to only log in on the console:
+:localadmin:tty1
-:localadmin:ALL
This seems to work. Login via SSH fails and succeeds on the console,
as expected.
However, /var/log/auth.log suspiciously indicates it is treating tty1
as a hostname during the failed SSH attempt:
Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): cannot resolve hostname "tty1"
Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): access denied for user `localadmin' from `10.0.0.101'
It is confirmed to be doing DNS lookups for 'tty1' in the search
domain during the login attempt:
admin at server:~$ resolvectl status eth0
...
DNS Servers: 10.0.0.2
DNS Domain: example.com
admin at server:~$ sudo tcpdump -i eth0 -n port 53
01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45)
01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] AAAA? tty1.example.com. (45)
01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95)
01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95)
I configured my DNS service to resolve hostname 'tty1' to the IP
address the SSH connection originates from:
admin at server:~$ dig +short tty1.example.com
10.0.0.101
SSH access is then unexpectedly allowed:
user at clienthost:~$ ip -4 a show dev eth0
inet 10.0.0.101/24 ...
user at clienthost:~$ ssh localadmin at 10.0.0.42
localadmin at 10.0.0.42's password:
localadmin at server:~$
I think the local origins should be completely separated from network
origins in /etc/security/access.conf somehow (maybe with separate
access.conf files used for local and network PAM services).
Other requested bug report info:
root at server:~# lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
root at server:~# apt-cache policy pam
N: Unable to locate package pam
root at server:~# apt-cache policy libpam-modules
libpam-modules:
Installed: 1.4.0-11ubuntu2.3
Candidate: 1.4.0-11ubuntu2.3
Version table:
*** 1.4.0-11ubuntu2.3 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
1.4.0-11ubuntu2 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2046526/+subscriptions
More information about the foundations-bugs
mailing list