PAM_RHOST and reverse hostname lookups

Andrew Bartlett abartlet at
Wed Jun 29 22:39:34 MDT 2011

On Wed, 2011-06-29 at 11:05 +0200, Andreas Schneider wrote:
> Hi Jeremy,
> we had some discussions about my s3-auth patchset. We don't want to introduce 
> a new dependency in the auth system and get rid of some old ones.
> Currently we're doing reverse hostname lookups in s3-auth to set PAM_RHOST. As 
> reverse lookups are disabled by default and PAM_RHOST is only really used by 
> two modules ( and (auto blacklisting) and else just 
> for auditing I would like to suggest to set PAM_RHOST always to the ip 
> address.

To give some more background to this:  The PAM stack is only invoked in
Samba (excluding the plaintext password case) for 'account', 'password'
and 'session' modules.  So I doubt any sensible case will be using
pam_rhosts, and pam_abl won't have the data to operate anyway, even if
it hooks at these layers. 

Finally, while a noble goal at the time, the idea of synchronising with
and interacting with PAM as the authoritative source of data is neat,
but we should have instead pushed harder the reverse.  We should have
pressed the standard solution to be that of using PAM so everyone else
could talk to our DB (pam_smbpass) rather than valiantly trying to keep
our DB in sync, given that we have to hold challenge-response compatible

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list