@@ -115,6 +115,7 @@ struct user_pass {
char password[128];
char common_name[128];
char response[128];
+ char remote[40];
const struct name_value_list *name_value_list;
};
@@ -517,13 +518,15 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : "";
+ const char *remote = get_env("untrusted_ip6", envp) ? get_env("untrusted_ip6", envp) : get_env("untrusted_ip", envp);
if (username && strlen(username) > 0 && password)
{
if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1
|| send_string(context->foreground_fd, username) == -1
|| send_string(context->foreground_fd, password) == -1
- || send_string(context->foreground_fd, common_name) == -1)
+ || send_string(context->foreground_fd, common_name) == -1
+ || send_string(context->foreground_fd, remote) == -1)
{
fprintf(stderr, "AUTH-PAM: Error sending auth info to background process\n");
}
@@ -750,8 +753,16 @@ pam_auth(const char *service, const struct user_pass *up)
status = pam_start(service, name_value_list_provided ? NULL : up->username, &conv, &pamh);
if (status == PAM_SUCCESS)
{
+ /* Set PAM_RHOST environment variable */
+ if (*(up->remote))
+ {
+ status = pam_set_item(pamh, PAM_RHOST, up->remote);
+ }
/* Call PAM to verify username/password */
- status = pam_authenticate(pamh, 0);
+ if (status == PAM_SUCCESS)
+ {
+ status = pam_authenticate(pamh, 0);
+ }
if (status == PAM_SUCCESS)
{
status = pam_acct_mgmt(pamh, 0);
@@ -839,7 +850,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
case COMMAND_VERIFY:
if (recv_string(fd, up.username, sizeof(up.username)) == -1
|| recv_string(fd, up.password, sizeof(up.password)) == -1
- || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1)
+ || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1
+ || recv_string(fd, up.remote, sizeof(up.remote)) == -1)
{
fprintf(stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
command);
@@ -848,12 +860,27 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
if (DEBUG(verb))
{
+ if (up.remote)
+ {
#if 0
- fprintf(stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
- up.username, up.password);
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: USER/PASS/REMOTE: %s/%s/%s\n",
+ up.username, up.password, up.remote);
#else
- fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: USER/REMOTE: %s/%s\n",
+ up.username, up.remote);
#endif
+ }
+ else
+ {
+#if 0
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
+ up.username, up.password);
+#else
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s/\n",
+ up.username);
+#endif
+
+ }
}
/* If password is of the form SCRV1:base64:base64 split it up */