Just to summarize the specific flow of this bug: 1. an application is started for a user session, e.g. sshd handles a user connecting. 2. the application uses pam for authentication, which by default includes pam_systemd as an (optional) module. 3. pam invokes pam_systemd as part of session creation. 4. pam_systemd calls into systemd-logind, over dbus with CreateSession. 5. the running systemd-logind process receives the dbus request and begins setting up the session. 6. systemd-logind attempts to get the full user info via NSS, e.g. getpwuid_r() or similar call 7. glibc attempts the user lookup, doesn't find the UID or username in /etc/passwd using the normal "files" based lookup 8. since nsswitch.conf is configured with network-based authentication (an essential part of this bug), glibc attempts (either through its "compat" mechanism, or separate nss module like libnss_ldap) to open a network connection to the remote authentication server to get the user info 9. since the glibc code, as well as any libnss module loaded by glibc, is running under the systemd-logind process, the network connection fails due to systemd-logind RestrictAddressFamilies= setting 10. nss returns a result of "no user found" to systemd-logind 11. systemd-logind determines it was unable to find the user data for the requested session, so it returns failure over dbus to the pam_systemd module 12. the pam_systemd module returns failure, but since it's marked "optional" (by default) in the pam common-session config file, the application isn't stopped from finishing successful auth 13. the application finishes pam authentication and opens a shell, but without a successful systemd-logind session
note that if there is a local caching component to whatever network authentication is configured - e.g. nscd - glibc might attempt to check that locally first, and if the user is located and no remote connection is needed, the lookup will succeed. also note that this bug only applies for nss modules that actually perform network connections directly from the nss module; if the nss module calls a local unix socket into a separate locally running process, that won't be blocked, since systemd-logind is allowed to do AF_UNIX. As has been pointed out and discussed, it really doesn't seem like there are any options to address this other than 1) open up systemd-logind to AF_INET and/or AF_INET6, or 2) provide systemd-logind with a way to perform nss lookups outside of direct nss calls, e.g. userdb. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934393 Title: systemd-logind network access is blocked, and breaks remote authentication configurations To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1934393/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
