pam_access: hostname vs. terminal

Vladimir A. Pavlov pv.root at gmail.com
Sun Sep 10 10:28:12 UTC 2006


Hello!

I'd like to disable root logins from everywhere except /dev/tty2. That's 
why I added the following line to /etc/security/access.conf file

-:root:ALL EXCEPT tty2

But I've found that if I try to log in from another tty as a usual user 
while the network is under heavy load then pam_access module waits for 
a long time before giving me a shell prompt.

The PAM sources told me that this is because the module in question 
first compares the real tty name (tty1) with the one from access.conf 
(tty2) and if they aren't equal it tries to call getaddrinfo() function 
passing the 'tty1' value as a host name. So the delay appears since 
this function uses DNS (!) to find a host named tty1 that is slow in 
the case of heavy network load and useless in _this_ case.

Is there a way to reduce the latency?

Isn't it a security hole that the module cannot tell the difference 
between a terminal and a host name?

P.S. I use Linux-PAM-0.99.4.0.

-- 
Nothing but perfection
pv




More information about the Pam-list mailing list