pam_access: hostname vs. terminal

Pablo Graziano pablo at compugenic.com
Sun Sep 10 22:42:11 UTC 2006


Vladimir A. Pavlov wrote:
> Hello!
>
> I'd like to disable root logins from everywhere except /dev/tty2. That's 
> why I added the following line to /etc/security/access.conf file
>
> -:root:ALL EXCEPT tty2
>
> But I've found that if I try to log in from another tty as a usual user 
> while the network is under heavy load then pam_access module waits for 
> a long time before giving me a shell prompt.
>
> The PAM sources told me that this is because the module in question 
> first compares the real tty name (tty1) with the one from access.conf 
> (tty2) and if they aren't equal it tries to call getaddrinfo() function 
> passing the 'tty1' value as a host name. So the delay appears since 
> this function uses DNS (!) to find a host named tty1 that is slow in 
> the case of heavy network load and useless in _this_ case.
>
> Is there a way to reduce the latency?
>
> Isn't it a security hole that the module cannot tell the difference 
> between a terminal and a host name?
>
> P.S. I use Linux-PAM-0.99.4.0.
>
>   
Can't you just specify which tty's root is allowed to login from in the 
/etc/securetty file?




More information about the Pam-list mailing list