[sudo-users] PAM rhost

Todd C. Miller Todd.Miller at sudo.ws
Sun Mar 1 11:40:14 MST 2020

On Sat, 29 Feb 2020 17:06:55 +0100, =?UTF-8?Q?Michael_Str=c3=b6der?= wrote:

> On 2/29/20 4:15 PM, Todd C. Miller wrote:
> > I used to set PAM_RHOST on all PAM systems but on Linux it resulted
> > in a DNS lookup via libaudit.  I don't know if that is still the
> > case.  I suppose it could be changed to a sudoers setting.
> Are you sure the DNS lookup was done by libaudit?

It sure looks like it.  If you look at audit_log_acct_message() in


you can see that if "addr" is not set, it will look up the specified
host name to determine its IP address (probably using DNS).  The
PAM audit code doesn't specify a value of "addr" since it is now
known.  The call in Linux PAM looks like this:

    rc = audit_log_acct_message(audit_fd, type, NULL, buf,
        (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
	-1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);

where pamh->rhost is the value of PAM_RHOST set by sudo or NULL if
not set.

 - todd

More information about the sudo-users mailing list