From patchwork Mon Jun 20 02:21:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Cerrito X-Patchwork-Id: 2514 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.56]) by backend41.mail.ord1d.rsapps.net with LMTP id KAX/AJ5msGLGUwAAqwncew (envelope-from ) for ; Mon, 20 Jun 2022 08:22:54 -0400 Received: from proxy13.mail.iad3a.rsapps.net ([172.27.255.56]) by director13.mail.ord1d.rsapps.net with LMTP id SN3oAJ5msGL2TAAA91zNiA (envelope-from ) for ; Mon, 20 Jun 2022 08:22:54 -0400 Received: from smtp35.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3a.rsapps.net with LMTPS id KNA3NJ1msGI+BAAAwhxzoA (envelope-from ) for ; Mon, 20 Jun 2022 08:22:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: b505079e-f093-11ec-b54a-52540083445f-1-1 Received: from [216.105.38.7] ([216.105.38.7:45188] helo=lists.sourceforge.net) by smtp35.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1D/6C-18677-D9660B26; Mon, 20 Jun 2022 08:22:53 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3GPf-0005tH-Qq; Mon, 20 Jun 2022 12:21:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3GPe-0005t0-3q for openvpn-devel@lists.sourceforge.net; Mon, 20 Jun 2022 12:21:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=C0NX3HivsB6J0ZzM0siwu9cdhl7SxeNzR1y2aQEJHBk=; b=Edse+r+sqwRXpIQbM41LVXPwRD dR1RiOTS8MxqXQjiei1oxSY3NMF116ExATsQE1/HJZytlk7pI14liJUsm/HNYfbiAqJI/h/HI4eEQ f7hBbTEPsjKwwABaabFudutQbLnDSdrytBAigY1T6WqKC8+Gt+9WgVECgu7LD3lPkrM4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=C0NX3HivsB6J0ZzM0siwu9cdhl7SxeNzR1y2aQEJHBk=; b=G qX0/IRcZ2+bfD6i3JYxS6kBDiRRC3RkSPwz2LYMRm0Mu5zM4kVjnq6JAh6Q8vh3UmFwpg40uR39VV mlZFcu2co5KYuDzUfr/OiwzEKc5z0Bpnrd/v5yG9Bz8V2l5ADd0E6RkEdbwTqvdLN7TBKXVQiBLq4 TzFCPTkOyyL0zXSs=; Received: from mail-ed1-f46.google.com ([209.85.208.46]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1o3GPd-008Gc2-Ja for openvpn-devel@lists.sourceforge.net; Mon, 20 Jun 2022 12:21:50 +0000 Received: by mail-ed1-f46.google.com with SMTP id b8so14839156edj.11 for ; Mon, 20 Jun 2022 05:21:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=C0NX3HivsB6J0ZzM0siwu9cdhl7SxeNzR1y2aQEJHBk=; b=Euep+CQ+7qstm+RygfbDEmuUs57e0GwxwLYz/JBOVzRm+GiNGDTAWPwi+jr8/wsUed cGBcwBh+aqUmS2Dp4RfmSGhU3mGtdDNSC8U2jF5WdiB72UP7VAYjWSZzmKIqrBtQU7Xy S1GOOQIX8PJlwqRhsL/rthnAsu96W5MOQMoeZlpHWEfqdRiiO633eyshTApbf8XbOBSs xOW6t6/tOnkqsZ8MdNXPh/tqgIoltYE52U0OIXiHl0ME3KGEPdzkIyywtSpsb6q6YcmL i7ON2QktQeCovAt9iT+u0FqAe+i+xwyg95cMEp2zoqHT/Pe/fmA0XdrOG0bHtc67YCU/ GBRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=C0NX3HivsB6J0ZzM0siwu9cdhl7SxeNzR1y2aQEJHBk=; b=GvOURSmAdSCf1rZSU14vfI7VIP46t/Owm9bfCvX3PjPU4mFMnjfX74AwR5l1VcynNu pVGF4qzyM4L/LxEJYydL4qhEXii2472QKGivz/bDYlhF5T3GegVUrsk+/Kdv6NO5gquy m1xJDNku2sYpBMudbqvDPLlO5fRiWiQ2FBc5l2NovUxpM7fsAi9qFxb9TO8JJpRyinpL VaQ54sGr8HBrmdOEtZpJAk6TCBVW6m66GTOAQh1taGO4OvbMfwxC21YF+FmmeNitmXdX nPVR73U5G6/Hhlt4hpGNw1zZNTHMPn36SNC1WfLvnQzYmiDyhnGMLYOiTcFdfaZ0sV5U 4mgQ== X-Gm-Message-State: AJIora/EvSeCBcdeMEZtOq2Tgp8ttowA9HFiKpKOm1f4UquDzhyok+KY WxWdHJoNZay5dQmyh1QCXr3q1ckkeAJLKw== X-Google-Smtp-Source: AGRyM1uZ4sbQxhLFvmGdOhsUOU++Rqp8sbS9FJvIu/jTolp9VwmRpoqO8YTdistsHcZ64jOAXbkK5A== X-Received: by 2002:a05:6402:51d4:b0:42f:b38d:dbb9 with SMTP id r20-20020a05640251d400b0042fb38ddbb9mr29857322edd.255.1655727702830; Mon, 20 Jun 2022 05:21:42 -0700 (PDT) Received: from wardragon.ccd.uniroma2.it (wardragon-m.ccd.uniroma2.it. [160.80.8.176]) by smtp.gmail.com with ESMTPSA id s10-20020aa7cb0a000000b00435728cd12fsm5009895edt.18.2022.06.20.05.21.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Jun 2022 05:21:42 -0700 (PDT) From: Paolo Cerrito To: openvpn-devel@lists.sourceforge.net Date: Mon, 20 Jun 2022 14:21:27 +0200 Message-Id: <20220620122126.2676755-1-wardragon78@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: paolo --- src/plugins/auth-pam/auth-pam.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 70339445..c2e66e5c 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -49,7 +49, [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.46 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wardragon78[at]gmail.com] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [wardragon78[at]gmail.com] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o3GPd-008Gc2-Ja Subject: [Openvpn-devel] [PATCH] Insert client connection data into PAM environment, upgraded X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: paolo Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: paolo --- src/plugins/auth-pam/auth-pam.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 70339445..c2e66e5c 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -49,7 +49,7 @@ #include #include #include "utils.h" - +#include #include #define DEBUG(verb) ((verb) >= 4) @@ -121,6 +121,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; + char remote[INET6_ADDRSTRLEN]; const struct name_value_list *name_value_list; }; @@ -529,6 +530,11 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha const char *username = get_env("username", envp); const char *password = get_env("password", envp); const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : ""; + const char *remote = get_env("untrusted_ip6", envp); + + if (remote == NULL){ + remote = get_env("untrusted_ip", envp); //if Null, try to take ipv4 if not set ipv6 + } /* should we do deferred auth? * yes, if there is "auth_control_file" and "deferred_auth_pam" env @@ -554,7 +560,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha || send_string(context->foreground_fd, username) == -1 || send_string(context->foreground_fd, password) == -1 || send_string(context->foreground_fd, common_name) == -1 - || send_string(context->foreground_fd, auth_control_file) == -1) + || send_string(context->foreground_fd, auth_control_file) == -1 + || send_string(context->foreground_fd, remote) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth info to background process"); } @@ -789,8 +796,16 @@ pam_auth(const char *service, const struct user_pass *up) status = pam_start(service, name_value_list_provided ? NULL : up->username, &conv, &pamh); if (status == PAM_SUCCESS) { + /* Set PAM_RHOST environment variable */ + if (*(up->remote)) + { + status = pam_set_item(pamh, PAM_RHOST, up->remote); + } /* Call PAM to verify username/password */ - status = pam_authenticate(pamh, 0); + if (status == PAM_SUCCESS) + { + status = pam_authenticate(pamh, 0); + } if (status == PAM_SUCCESS) { status = pam_acct_mgmt(pamh, 0); @@ -956,7 +971,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * if (recv_string(fd, up.username, sizeof(up.username)) == -1 || recv_string(fd, up.password, sizeof(up.password)) == -1 || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1 - || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1) + || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1 + || recv_string(fd, up.remote, sizeof(up.remote)) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting", command); @@ -970,6 +986,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * up.username, up.password); #else plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER: %s", up.username); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: REMOTE: %s", up.remote); #endif }