"LOCAL" works as designed. The manual page is not very easy to understand as it refers to internals of the pam_access module, but what it boils down to is that if you have a network connection (and a connection through the loopback device counts as such), this is not "LOCAL": "LOCAL keyword matches if and only if the PAM_RHOST is not set and <origin> field is thus set from PAM_TTY or PAM_SERVICE". As to "localhost" (or any other hostname) not being resolved: this is, indeed, not handled, I'm working on that.