OpenSSH can mess up Linux-PAM's pam_access

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have found out, that if attacker can fake forward and reverse DNS
lookups, then pam_access can think the attacker is connected from
somewhere else (e.g. from priviledge host).

Let's have these steps:

1. /etc/security/access.conf at victim's server:
    -:root:ALL EXCEPT
    and /etc/pam.d/sshd contains:
    account    required
2. attacker connect's from to the server
3. sshd does gethostbyaddr("")
4. attacker response "localhost."
5. sshd does gethostbyname("localhost.")
6. attacker response ""
7. sshd finds out DNS check passed and sets PAM_RHOST to "localhost"
8. sshd invokes PAM authentication proccess via pam_authenticate()
9. libpam invokes indirectely match_from() in
10. match_from() does gethostbyname("localhost")
11. match_from() recives properly ""
12. match_from() found match in /etc/security/access.conf
13. and finaly pam_access returns PAM_SUCCESS

Proposed fix: sshd should always put rhost IP address to the PAM.
pam_access is vulnerable only if config file contains domain names. On
the other hand configuration based on IP addresses is resistent.

--Petr Pisar

Re: OpenSSH can mess up Linux-PAM's pam_access

Quoted text here. Click to load it

Quoted text here. Click to load it

XSSO says that PAM_RHOST is "The remote host name."  You can make sshd
use an IP address by setting "UseDNS no" in sshd_config.

Quoted text here. Click to load it

The underlying problem is that the configuration is using an untrusted
source of data (ie DNS) for authentication decisions.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline