Vladimir A. Pavlov wrote:
Hello!
I'd like to disable root logins from everywhere except /dev/tty2. That's
why I added the following line to /etc/security/access.conf file
-:root:ALL EXCEPT tty2
But I've found that if I try to log in from another tty as a usual user
while the network is under heavy load then pam_access module waits for
a long time before giving me a shell prompt.
The PAM sources told me that this is because the module in question
first compares the real tty name (tty1) with the one from access.conf
(tty2) and if they aren't equal it tries to call getaddrinfo() function
passing the 'tty1' value as a host name. So the delay appears since
this function uses DNS (!) to find a host named tty1 that is slow in
the case of heavy network load and useless in _this_ case.
Is there a way to reduce the latency?
Isn't it a security hole that the module cannot tell the difference
between a terminal and a host name?
P.S. I use Linux-PAM-0.99.4.0.
Can't you just specify which tty's root is allowed to login from in the
/etc/securetty file?
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
