pam_access: hostname vs. terminal
Vladimir A. Pavlov
pv.root at gmail.com
Sun Sep 10 10:28:12 UTC 2006
Hello!
I'd like to disable root logins from everywhere except /dev/tty2. That's
why I added the following line to /etc/security/access.conf file
-:root:ALL EXCEPT tty2
But I've found that if I try to log in from another tty as a usual user
while the network is under heavy load then pam_access module waits for
a long time before giving me a shell prompt.
The PAM sources told me that this is because the module in question
first compares the real tty name (tty1) with the one from access.conf
(tty2) and if they aren't equal it tries to call getaddrinfo() function
passing the 'tty1' value as a host name. So the delay appears since
this function uses DNS (!) to find a host named tty1 that is slow in
the case of heavy network load and useless in _this_ case.
Is there a way to reduce the latency?
Isn't it a security hole that the module cannot tell the difference
between a terminal and a host name?
P.S. I use Linux-PAM-0.99.4.0.
--
Nothing but perfection
pv
More information about the Pam-list
mailing list