[sudo-users] PAM rhost

Michael Ströder michael at stroeder.com
Sat Feb 29 09:06:55 MST 2020

On 2/29/20 4:15 PM, Todd C. Miller wrote:
> I used to set PAM_RHOST on all PAM systems but on Linux it resulted
> in a DNS lookup via libaudit.  I don't know if that is still the
> case.  I suppose it could be changed to a sudoers setting.

Are you sure the DNS lookup was done by libaudit?

Sounds a bit like this bug filed four years ago:


Furthermore there's an option 'log_format' in auditd.conf which seems to
trigger all kind of name lookups in auditd. But this kind of implies
that such a name lookup is not done in libaudit and thus would not block
the application invoking PAM.

Excerpt from auditd.conf(5):


[..] The ENRICHED option will resolve all uid, gid, syscall,
architecture, and socket address information before writing the event
to disk.[..]

Is there a simple way to test that?

Ciao, Michael.

More information about the sudo-users mailing list