| 1 |
Hi list, |
| 2 |
|
| 3 |
When I try to login to my Gentoo installation |
| 4 |
(hardened/selinux/amd64/no-multilib) at TTY, after entering |
| 5 |
username and password it takes a long time to show prompt. I track |
| 6 |
down this problem to the some DNS resolution |
| 7 |
taking place at startup. i.e. when my default gateway is connected to |
| 8 |
internet, I can log-in normally, |
| 9 |
but when I'm not connected, I experience this issue. I was also |
| 10 |
getting few days back a selinux denial for |
| 11 |
'locallogin_t', so with the help of Chris PeBenito, I fixed that issue |
| 12 |
by adding following rule to my local |
| 13 |
SELinux policy: |
| 14 |
|
| 15 |
----8<----8<---- |
| 16 |
auth_use_nsswitch(local_login_t) |
| 17 |
---->8---->8---- |
| 18 |
|
| 19 |
I'm not able to figure out why it needs to do DNS resolution at login. |
| 20 |
Following are my related pam configuration |
| 21 |
files: |
| 22 |
|
| 23 |
----8<----8<---- |
| 24 |
abbe@chatteau ~ $ cat /etc/pam.d/system-auth |
| 25 |
#%PAM-1.0 |
| 26 |
|
| 27 |
auth required pam_env.so |
| 28 |
auth sufficient pam_unix.so try_first_pass likeauth nullok |
| 29 |
auth required pam_deny.so |
| 30 |
|
| 31 |
account required pam_unix.so |
| 32 |
|
| 33 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
| 34 |
ocredit=2 try_first_pass retry=3 |
| 35 |
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow |
| 36 |
password required pam_deny.so |
| 37 |
|
| 38 |
session required pam_limits.so |
| 39 |
session required pam_unix.so |
| 40 |
abbe@chatteau ~ $ cat /etc/pam.d/login |
| 41 |
#%PAM-1.0 |
| 42 |
|
| 43 |
auth required pam_securetty.so |
| 44 |
auth required pam_tally.so file=/var/log/faillog |
| 45 |
onerr=succeed no_magic_root |
| 46 |
auth required pam_shells.so |
| 47 |
auth required pam_nologin.so |
| 48 |
auth include system-auth |
| 49 |
|
| 50 |
account required pam_access.so |
| 51 |
account include system-auth |
| 52 |
account required pam_tally.so deny=0 file=/var/log/faillog |
| 53 |
onerr=succeed no_magic_root |
| 54 |
|
| 55 |
password include system-auth |
| 56 |
|
| 57 |
# pam_selinux.so close should be the first session rule |
| 58 |
session required pam_selinux.so close |
| 59 |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
| 60 |
session required pam_env.so |
| 61 |
session optional pam_lastlog.so |
| 62 |
session optional pam_motd.so motd=/etc/motd |
| 63 |
session optional pam_mail.so |
| 64 |
|
| 65 |
# If you want to enable pam_console, uncomment the following line |
| 66 |
# and read carefully README.pam_console in /usr/share/doc/pam* |
| 67 |
#session optional pam_console.so |
| 68 |
|
| 69 |
session include system-auth |
| 70 |
|
| 71 |
# pam_selinux.so open should be the last session rule |
| 72 |
session required pam_selinux.so multiple open |
| 73 |
|
| 74 |
abbe@chatteau ~ $ getent hosts `hostname` |
| 75 |
::1 localhost chatteau.d.lf chatteau localhost.localdomain |
| 76 |
abbe@chatteau ~ $ getent hosts 127.0.0.1 |
| 77 |
127.0.0.1 localhost chatteau.d.lf chatteau localhost.localdomain |
| 78 |
---->8---->8---- |
| 79 |
|
| 80 |
The long delay is only experienced when user is successfully |
| 81 |
authenticated. So I think its somewhere |
| 82 |
in 'session' phase of PAM, though I'm not sure on this. |
| 83 |
|
| 84 |
Any idea what would be wrong here ? |
| 85 |
|
| 86 |
TIA |
| 87 |
-- |
| 88 |
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ |
| 89 |
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |
Archives