[Openvpn-devel] Patch for pam recent module

Message ID da61f7b0-f9e1-e4e7-3aa0-a0dd603a3f32@gmail.com
State New
Headers show
Series
  • [Openvpn-devel] Patch for pam recent module
Related show

Commit Message

Paolo June 26, 2019, 1:37 p.m.
hi,

i make a pull reuqest ofr this patch some times ago over github, this
patch implements the right peace of software for passing ip and hostname
to pam modules, to use for example in firewall or modules like
pam_recent, this patch is succefull running by more tha 7 years into our
systems.


             {
                 fprintf(stderr, "AUTH-PAM: Error sending auth info to
background process\n");
             }
@@ -750,8 +753,16 @@ pam_auth(const char *service, const struct
user_pass *up)
     status = pam_start(service, name_value_list_provided ? NULL :
up->username, &conv, &pamh);
     if (status == PAM_SUCCESS)
     {
+        /* Set PAM_RHOST environment variable */
+        if (*(up->remote))
+        {
+            status = pam_set_item(pamh, PAM_RHOST, up->remote);
+        }
         /* Call PAM to verify username/password */
-        status = pam_authenticate(pamh, 0);
+        if (status == PAM_SUCCESS)
+        {
+            status = pam_authenticate(pamh, 0);
+        }
         if (status == PAM_SUCCESS)
         {
             status = pam_acct_mgmt(pamh, 0);
@@ -839,7 +850,8 @@ pam_server(int fd, const char *service, int verb,
const struct name_value_list *
             case COMMAND_VERIFY:
                 if (recv_string(fd, up.username, sizeof(up.username)) == -1
                     || recv_string(fd, up.password,
sizeof(up.password)) == -1
-                    || recv_string(fd, up.common_name,
sizeof(up.common_name)) == -1)
+                    || recv_string(fd, up.common_name,
sizeof(up.common_name)) == -1
+                    || recv_string(fd, up.remote, sizeof(up.remote)) == -1)
                 {
                     fprintf(stderr, "AUTH-PAM: BACKGROUND: read error
on command channel: code=%d, exiting\n",
                             command);
@@ -853,6 +865,7 @@ pam_server(int fd, const char *service, int verb,
const struct name_value_list *
                             up.username, up.password);
 #else
                     fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s\n",
up.username);
+                    fprintf(stderr, "AUTH-PAM: BACKGROUND: REMOTE:
%s\n", up.remote);
 #endif
                 }

Comments

Gert Doering June 27, 2019, 7:53 a.m. | #1
Hi,

On Wed, Jun 26, 2019 at 03:37:56PM +0200, Paolo wrote:
> i make a pull reuqest ofr this patch some times ago over github, this
> patch implements the right peace of software for passing ip and hostname
> to pam modules, to use for example in firewall or modules like
> pam_recent, this patch is succefull running by more tha 7 years into our
> systems.

Please send patches with "git send-email".  Your mail program totally
massacred the patch (most spaces were replaced by alt-space, 0xa0, which
looks like a space but isn't)

Please do also use a meaningful commit message that describes what
the patch does, and use "git commit -s" to add a signed-off-by line.

> \xa0\xa0\xa0\xa0 char response[128];
> +\xa0\xa0\xa0 char remote[128];

This is how the patch arrived here...

gert

Patch

diff --git a/src/plugins/auth-pam/auth-pam.c
b/src/plugins/auth-pam/auth-pam.c
index 88b53204..9d8dfb95 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -115,6 +115,7 @@  struct user_pass {
     char password[128];
     char common_name[128];
     char response[128];
+    char remote[128];
 
     const struct name_value_list *name_value_list;
 };
@@ -517,13 +518,15 @@  openvpn_plugin_func_v1(openvpn_plugin_handle_t
handle, const int type, const cha
         const char *username = get_env("username", envp);
         const char *password = get_env("password", envp);
         const char *common_name = get_env("common_name", envp) ?
get_env("common_name", envp) : "";
+        const char *remote = get_env("untrusted_ip", envp) ?
get_env("untrusted_ip", envp) : get_env("untrusted_ip6", envp);
 
         if (username && strlen(username) > 0 && password)
         {
             if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1
                 || send_string(context->foreground_fd, username) == -1
                 || send_string(context->foreground_fd, password) == -1
-                || send_string(context->foreground_fd, common_name) == -1)
+                || send_string(context->foreground_fd, common_name) == -1
+                || send_string(context->foreground_fd, remote) == -1)