Bug#1103034: libpam-modules: pam 1.7.0 behavior changed with regards to DNS domain resolution

Sun, 13 Apr 2025 19:27:14 -0700 

On Mon, 14 Apr 2025 03:47:36 +0200 Alban Browaeys <pra...@yahoo.com>
wrote:
(...)
> Since the pam upgrade from 1.5.3.7+b1 to 1.7.0 in testing around
> February 2025 I am unable to login with these rules on boxes which
have
> an avahi 'local' domain assigned.
> 
> It seems pam in 1.7 resolve the 'local' avahi domain before the LAN
DNS
> domain assigned to the box.
> 

Well probably because:

from hermes, requesting it own interface IP rDNS
$ host 192.168.10.123
123.10.168.192.in-addr.arpa domain name pointer hermes.prahal.homelinux.net.
123.10.168.192.in-addr.arpa domain name pointer hermes.
$ dig -x  192.168.10.123

; <<>> DiG 9.20.7-1-Debian <<>> -x 192.168.10.123
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20228
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;123.10.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
123.10.168.192.in-addr.arpa. 0  IN      PTR     hermes.prahal.homelinux.net.
123.10.168.192.in-addr.arpa. 0  IN      PTR     hermes.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 04:11:39 CEST 2025
;; MSG SIZE  rcvd: 117


from cyclope, requesting its own interfaces IPs rDNS
$ host 192.168.10.12
12.10.168.192.in-addr.arpa domain name pointer cyclope.prahal.homelinux.net.
12.10.168.192.in-addr.arpa domain name pointer cyclope.
$ host 192.168.10.135
135.10.168.192.in-addr.arpa domain name pointer cyclope.prahal.homelinux.net.
135.10.168.192.in-addr.arpa domain name pointer cyclope.
$ dig -x  192.168.10.135

; <<>> DiG 9.20.7-1-Debian <<>> -x 192.168.10.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55510
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;135.10.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
135.10.168.192.in-addr.arpa. 0  IN      PTR     cyclope.prahal.homelinux.net.
135.10.168.192.in-addr.arpa. 0  IN      PTR     cyclope.

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 04:08:28 CEST 2025
;; MSG SIZE  rcvd: 119
$ dig -x 192.168.10.12

; <<>> DiG 9.20.7-1-Debian <<>> -x 192.168.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26675
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;12.10.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
12.10.168.192.in-addr.arpa. 0   IN      PTR     cyclope.prahal.homelinux.net.
12.10.168.192.in-addr.arpa. 0   IN      PTR     cyclope.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 04:08:39 CEST 2025
;; MSG SIZE  rcvd: 118



from cyclope requesting hermes IP rDNS
$ host 192.168.10.123
123.10.168.192.in-addr.arpa domain name pointer hermes.prahal.homelinux.net.
$ dig -x 192.168.10.123

; <<>> DiG 9.20.7-1-Debian <<>> -x 192.168.10.123
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32509
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;123.10.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
123.10.168.192.in-addr.arpa. 55 IN      PTR     hermes.local.

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 04:09:51 CEST 2025
;; MSG SIZE  rcvd: 82


from hermes requesting cyclope IP rDNS
$ host 192.168.10.12
12.10.168.192.in-addr.arpa domain name pointer cyclope.local.
$ host 192.168.10.135
135.10.168.192.in-addr.arpa domain name pointer cyclope.prahal.homelinux.net.
$ dig -x 192.168.10.12

; <<>> DiG 9.20.7-1-Debian <<>> -x 192.168.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;12.10.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
12.10.168.192.in-addr.arpa. 113 IN      PTR     cyclope.local.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 04:21:08 CEST 2025
;; MSG SIZE  rcvd: 82
$ dig -x 192.168.10.135

; <<>> DiG 9.20.7-1-Debian <<>> -x 192.168.10.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;135.10.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
135.10.168.192.in-addr.arpa. 113 IN     PTR     cyclope.local.

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 04:21:10 CEST 2025
;; MSG SIZE  rcvd: 83




So could it be pam 1.7 is working correctly while 1.5.3 wasn't?

Cheers,
Alban

Reply via email to