I'm seeing this issue as well, but only on my Ubuntu 20.04/22.04 boxes. My EL8/9 boxes with the same access.conf setup are not seeing this issue.
Logs from pam_access in debug mode on an Ubuntu 20.04 box given below but my 22.04 systems do the same thing. My EL8/9 system logs look the same sans the 'cannot resolve hostname "LOCAL"' error message. Seems to be releated to these 2 bugs: https://github.com/linux-pam/linux-pam/issues/834 https://github.com/linux-pam/linux-pam/issues/711 The EL8 PAM package includes these patches to resolve this issue: https://github.com/linux-pam/linux-pam/commit/08992030c56c940c0707ccbc442b1c325aa01e6d https://github.com/linux-pam/linux-pam/commit/ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13 https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5 https://github.com/linux-pam/linux-pam/commit/4ba3105511c3a55fc750a790f7310c6d7ebfdfda https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628 access.conf: + : root : LOCAL + : sudo : LOCAL + : agroup : 192.168.0.0/16 + : agroup2 : 192.168.100.0/24 - : ALL : ALL EXCEPT LOCAL pam_access.so debug: Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): login_access: user=auser, from=192.168.19.2, file=/etc/security/access.conf Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): line 1: + : root : LOCAL Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= root , item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match: tok=root, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=root, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match=0, "auser" Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): line 2: + : sudo : LOCAL Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= sudo , item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match: tok=sudo, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=sudo, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match=1, "auser" Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= LOCAL, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match: tok=LOCAL, item=192.168.19.2 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=LOCAL, item=192.168.19.2 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): network_netmask_match: tok=LOCAL, item=192.168.19.2 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): cannot resolve hostname "LOCAL" Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match=0, "192.168.19.2" Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): line 3: + : agroup : 192.168.0.0/16 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= agroup , item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match: tok=agroup, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=agroup, item=auser Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): user_match=1, "auser" Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): list_match: list= 192.168.0.0/16 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match: tok=192.168.0.0/16, item=192.168.19.2 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): string_match: tok=192.168.0.0/16, item=192.168.19.2 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): network_netmask_match: tok=192.168.0.0/16, item=192.168.19.2 Feb 14 12:00:29 anotherserver sshd[3443]: pam_access(sshd:auth): from_match=1, "192.168.19.2" ** Bug watch added: github.com/linux-pam/linux-pam/issues #834 https://github.com/linux-pam/linux-pam/issues/834 ** Bug watch added: github.com/linux-pam/linux-pam/issues #711 https://github.com/linux-pam/linux-pam/issues/711 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2046526 Title: pam_access Configuration Treats TTY Names as Hostnames Status in pam package in Ubuntu: Confirmed Bug description: Comments in PAM service files at /etc/pam.d/* suggest a line to uncomment to configure complicated authorization rules using pam_access (which in turn is configured by /etc/security/access.conf): /etc/pam.d/sshd: # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so /etc/pam.d/login: # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so Comments in /etc/security/access.conf indicate the origin in this file can be a TTY or domain name: # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), I wanted to configure a user on my server, 'localadmin', who can only log in on the console and not via any network service and tried to achieve this using pam_access as follows: I uncommented the default ‘account required pam_access.so’ lines in /etc/pam.d/sshd and /etc/pam.d/login. I add the following in /etc/security/access.conf intending to allow user 'localadmin' to only log in on the console: +:localadmin:tty1 -:localadmin:ALL This seems to work. Login via SSH fails and succeeds on the console, as expected. However, /var/log/auth.log suspiciously indicates it is treating tty1 as a hostname during the failed SSH attempt: Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): cannot resolve hostname "tty1" Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): access denied for user `localadmin' from `10.0.0.101' It is confirmed to be doing DNS lookups for 'tty1' in the search domain during the login attempt: admin@server:~$ resolvectl status eth0 ... DNS Servers: 10.0.0.2 DNS Domain: example.com admin@server:~$ sudo tcpdump -i eth0 -n port 53 01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45) 01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] AAAA? tty1.example.com. (45) 01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95) 01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95) I configured my DNS service to resolve hostname 'tty1' to the IP address the SSH connection originates from: admin@server:~$ dig +short tty1.example.com 10.0.0.101 SSH access is then unexpectedly allowed: user@clienthost:~$ ip -4 a show dev eth0 inet 10.0.0.101/24 ... user@clienthost:~$ ssh localadmin@10.0.0.42 localadmin@10.0.0.42's password: localadmin@server:~$ I think the local origins should be completely separated from network origins in /etc/security/access.conf somehow (maybe with separate access.conf files used for local and network PAM services). Other requested bug report info: root@server:~# lsb_release -rd Description: Ubuntu 22.04.3 LTS Release: 22.04 root@server:~# apt-cache policy pam N: Unable to locate package pam root@server:~# apt-cache policy libpam-modules libpam-modules: Installed: 1.4.0-11ubuntu2.3 Candidate: 1.4.0-11ubuntu2.3 Version table: *** 1.4.0-11ubuntu2.3 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1.4.0-11ubuntu2 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2046526/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
