Package: libpam-modules
Version: 1.7.0-3
Severity: normal
Dear Maintainer,
I have /etc/security/access-sshd.conf with:
"
# Ansible managed
# Grant access via SSH to root account from the Ansible Controller hosts
+:root:<controller IP>
# Grant access via SSH to root account on the same DNS domain
+:root:.<my domain>
# Deny access to root account via SSH from anywhere else
-:root:ALL
# Grant access via SSH to members of UNIX groups defined on this host
+:(admins) (sshusers) (sftponly):ALL
# Grant access via SSH to users on the same DNS domain. The SSH server
# needs to have UseDNS option enabled for this rule to work correctly.
+:ALL:.<my domain>
# Deny access via SSH by anyone from anywhere
-:ALL:ALL
"
with <my domain> being my LAN DNS domain.
and /etc/pam.d/sshd
with
account required pam_access.so nodefgroup
accessfile=/etc/security/access-sshd.conf
Since the pam upgrade from 1.5.3.7+b1 to 1.7.0 in testing around
February 2025 I am unable to login with these rules on boxes which have
an avahi 'local' domain assigned.
It seems pam in 1.7 resolve the 'local' avahi domain before the LAN DNS
domain assigned to the box.
from a box with a single interface I now get:
avril 14 02:42:52 cyclope sshd-session[31318]: pam_access(sshd:account): access
denied for user `prahal' from `hermes.local'
avril 14 02:42:52 cyclope sshd-session[31318]: fatal: Access denied for user
prahal by PAM account configuration [preauth]
and am denied access with:
Connection closed by 192.168.10.135 port 22
from a box with two interfaces to the same network (ie the second being
the ethernet inteface from this laptop dock at desk):
avril 14 03:07:33 hermes sshd-session[3411435]: Address 192.168.10.12 maps to
cyclope.local, but this does not map back to the address.
avril 14 03:07:33 hermes sshd-session[3411435]: pam_access(sshd:account):
access denied for user `prahal' from `192.168.10.12'
avril 14 03:07:33 hermes sshd-session[3411435]: fatal: Access denied for user
prahal by PAM account configuration [preauth]
(this as I have two interfaces on cyclope plugged to the same network - wifi
always on and ethernet from the dock when at desk, thus cyclope.local maps to
192.168.10.135 the )
and am denied access with:
Connection closed by 192.168.10.123 port 22
If I add to /etc/security/access-sshd.conf
+:ALL:.local
before the deny all:
-:ALL:ALL
I can now ssh to the boxes.
Is this change in domain resolution a regression or a fix ?
Various settings:
$ resolvectl
Global
Protocols: +LLMNR mDNS=resolve -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp2s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS
DNSSEC=no/unsupported
Default Route: no
Link 3 (bridge0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: fc00:10::1
DNS Servers: 192.168.11.1 192.168.10.1 fc00:10::1
DNS Domain: prahal.homelinux.net
Default Route: yes
Link 4 (docker0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS
DNSSEC=no/unsupported
Default Route: no
Link 7 (veth05166a2)
Current Scopes: LLMNR/IPv6 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR mDNS=resolve -DNSOverTLS
DNSSEC=no/unsupported
Default Route: no
on both boxes
cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by
man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search prahal.homelinux.net
on both boxes
grep UseDNS /etc/ssh/sshd_config
UseDNS yes
on both boxes
cat /etc/avahi/avahi-daemon.conf
# Ansible managed
# This file is part of avahi.
#
# avahi is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# avahi is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
# License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with avahi; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA.
# See avahi-daemon.conf(5) for more information on this configuration
# file!
[server]
#host-name=foo
#domain-name=local
# What domains we browse
use-ipv4=yes
use-ipv6=yes
# What interfaces we use
#deny-interfaces=eth1
#check-response-ttl=no
#use-iff-running=no
#enable-dbus=yes
#disallow-other-stacks=no
#allow-point-to-point=no
#cache-entries-max=4096
#clients-max=4096
#objects-per-client-max=1024
#entries-per-entry-group-max=32
ratelimit-interval-usec=1000000
ratelimit-burst=1000
[wide-area]
enable-wide-area=yes
[publish]
#disable-publishing=no
#disable-user-service-publishing=no
add-service-cookie=yes
#publish-addresses=yes
publish-hinfo=no
publish-workstation=no
#publish-domain=yes
#publish-dns-servers=192.168.50.1, 192.168.50.2
#publish-resolv-conf-dns-servers=yes
#publish-aaaa-on-ipv4=yes
#publish-a-on-ipv6=no
[reflector]
enable-reflector=no
#reflect-ipv=no
[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=768
rlimit-stack=4194304
rlimit-nproc=3
hostname -f
hermes.prahal.homelinux.net
hostname -f
cyclope.prahal.homelinux.net
on both boxes:
cat /etc/nsswitch.conf
# Ansible managed
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mymachines mdns4_minimal [NOTFOUND=return] resolve
[!UNAVAIL=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
My setup is pretty rare, though as it might affect other and it might be
a regression I prefer to raise the issue.
I believe adding the 'local' domain to the access rules is correct, but
I don't know why pam_access reolves '<host>.local' first when all other
tools reolves <host>.<mydomain> first.
I have on local peculiarity is I have uncommented the prefer IPv4 in
/etc/gai.conf on all my boxes:
#
# For sites which prefer IPv4 connections change the last line to
#
precedence ::ffff:0:0/96 100
Cheers,
Alban
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'stable-debug'), (500, 'testing'),
(90, 'unstable-debug'), (90, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.21-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-modules depends on:
ii debconf [debconf-2.0] 1.5.91
ii libaudit1 1:4.0.2-2+b2
ii libc6 2.41-6
ii libcrypt1 1:4.4.38-1
ii libdb5.3t64 5.3.28+dfsg2-9
ii libpam-modules-bin 1.7.0-3
ii libpam0g 1.7.0-3
ii libselinux1 3.8.1-1
ii libsystemd0 257.5-2
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- debconf information:
libpam-modules/disable-screensaver:
libpam-modules/deprecate-tally:
libpam-modules/profiles-disabled:
