[sudo-users] PAM rhost
Todd C. Miller
Todd.Miller at sudo.ws
Sat Feb 29 09:39:58 MST 2020
On Sat, 29 Feb 2020 17:06:55 +0100, =?UTF-8?Q?Michael_Str=c3=b6der?= wrote:
> On 2/29/20 4:15 PM, Todd C. Miller wrote:
> > I used to set PAM_RHOST on all PAM systems but on Linux it resulted
> > in a DNS lookup via libaudit. I don't know if that is still the
> > case. I suppose it could be changed to a sudoers setting.
> Are you sure the DNS lookup was done by libaudit?
That's what the commit message says but that was 10 years ago and
I don't recall the exact details.
> Sounds a bit like this bug filed four years ago:
> Furthermore there's an option 'log_format' in auditd.conf which seems to
> trigger all kind of name lookups in auditd. But this kind of implies
> that such a name lookup is not done in libaudit and thus would not block
> the application invoking PAM.
> Excerpt from auditd.conf(5):
> [..] The ENRICHED option will resolve all uid, gid, syscall,
> architecture, and socket address information before writing the event
> to disk.[..]
> Is there a simple way to test that?
You should be able to test by pointing /etc/resolv.conf at an
unreachable host and making sure that DNS is used first for hosts
in nsswitch.conf. You would need to make sure that the fqdn sudoers
setting is not enabled, Debian-based systems often have it enabled
by default. If sudo hangs you and you can get a stack trace it
should tell you where the problem is. This is probably easiest to
test on a VM.
More information about the sudo-users