1 |
Hi list, |
2 |
|
3 |
When I try to login to my Gentoo installation |
4 |
(hardened/selinux/amd64/no-multilib) at TTY, after entering |
5 |
username and password it takes a long time to show prompt. I track |
6 |
down this problem to the some DNS resolution |
7 |
taking place at startup. i.e. when my default gateway is connected to |
8 |
internet, I can log-in normally, |
9 |
but when I'm not connected, I experience this issue. I was also |
10 |
getting few days back a selinux denial for |
11 |
'locallogin_t', so with the help of Chris PeBenito, I fixed that issue |
12 |
by adding following rule to my local |
13 |
SELinux policy: |
14 |
|
15 |
----8<----8<---- |
16 |
auth_use_nsswitch(local_login_t) |
17 |
---->8---->8---- |
18 |
|
19 |
I'm not able to figure out why it needs to do DNS resolution at login. |
20 |
Following are my related pam configuration |
21 |
files: |
22 |
|
23 |
----8<----8<---- |
24 |
abbe@chatteau ~ $ cat /etc/pam.d/system-auth |
25 |
#%PAM-1.0 |
26 |
|
27 |
auth required pam_env.so |
28 |
auth sufficient pam_unix.so try_first_pass likeauth nullok |
29 |
auth required pam_deny.so |
30 |
|
31 |
account required pam_unix.so |
32 |
|
33 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
34 |
ocredit=2 try_first_pass retry=3 |
35 |
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow |
36 |
password required pam_deny.so |
37 |
|
38 |
session required pam_limits.so |
39 |
session required pam_unix.so |
40 |
abbe@chatteau ~ $ cat /etc/pam.d/login |
41 |
#%PAM-1.0 |
42 |
|
43 |
auth required pam_securetty.so |
44 |
auth required pam_tally.so file=/var/log/faillog |
45 |
onerr=succeed no_magic_root |
46 |
auth required pam_shells.so |
47 |
auth required pam_nologin.so |
48 |
auth include system-auth |
49 |
|
50 |
account required pam_access.so |
51 |
account include system-auth |
52 |
account required pam_tally.so deny=0 file=/var/log/faillog |
53 |
onerr=succeed no_magic_root |
54 |
|
55 |
password include system-auth |
56 |
|
57 |
# pam_selinux.so close should be the first session rule |
58 |
session required pam_selinux.so close |
59 |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
60 |
session required pam_env.so |
61 |
session optional pam_lastlog.so |
62 |
session optional pam_motd.so motd=/etc/motd |
63 |
session optional pam_mail.so |
64 |
|
65 |
# If you want to enable pam_console, uncomment the following line |
66 |
# and read carefully README.pam_console in /usr/share/doc/pam* |
67 |
#session optional pam_console.so |
68 |
|
69 |
session include system-auth |
70 |
|
71 |
# pam_selinux.so open should be the last session rule |
72 |
session required pam_selinux.so multiple open |
73 |
|
74 |
abbe@chatteau ~ $ getent hosts `hostname` |
75 |
::1 localhost chatteau.d.lf chatteau localhost.localdomain |
76 |
abbe@chatteau ~ $ getent hosts 127.0.0.1 |
77 |
127.0.0.1 localhost chatteau.d.lf chatteau localhost.localdomain |
78 |
---->8---->8---- |
79 |
|
80 |
The long delay is only experienced when user is successfully |
81 |
authenticated. So I think its somewhere |
82 |
in 'session' phase of PAM, though I'm not sure on this. |
83 |
|
84 |
Any idea what would be wrong here ? |
85 |
|
86 |
TIA |
87 |
-- |
88 |
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ |
89 |
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |