From patchwork Fri Jun 24 00:49:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Cerrito X-Patchwork-Id: 2547 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id bQCXECyYtWLuNwAAIUCqbw (envelope-from ) for ; Fri, 24 Jun 2022 06:55:40 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id UGbuDyyYtWIpfAAAIasKDg (envelope-from ) for ; Fri, 24 Jun 2022 06:55:40 -0400 Received: from smtp5.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTPS id IfGYDyyYtWJbDgAAQyIf0w (envelope-from ) for ; Fri, 24 Jun 2022 06:55:40 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 2f2e03ac-f3ac-11ec-a55c-a4badb0b200d-1-1 Received: from [216.105.38.7] ([216.105.38.7:52640] helo=lists.sourceforge.net) by smtp5.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CB/6E-03387-B2895B26; Fri, 24 Jun 2022 06:55:40 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o4gxY-0004Jm-26; Fri, 24 Jun 2022 10:54:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o4gxW-0004Jf-UT for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 10:54:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hSq9du6lOm59KO1pOHZERWMvx9694k8l8WwCdv1g5IM=; b=Ep1/vFS2HvBhOJ0y0rREiegytb QsT3YZzC45GJDMik7YhAYpHCbwKwQDLx7DHaRiAaVh6Mw4CRKNfmsOtxc+mr0k9AwomsvMUBNxdGi Og9w6mzcjm5t6F0S0cwjFaNivTinT/9y2YXHgpmW0fgilLqCQCpOIXbA+soX93iSV7t4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=hSq9du6lOm59KO1pOHZERWMvx9694k8l8WwCdv1g5IM=; b=a 0QhvvqPuYYdFlodiud1yli7JZRWE9rcO1OPUr+FQM1nVd225J4uTMRAjWIVKIXtnVyM677+Cl4ZOD a7cDbUlRj0U+BI/NmWxNQL6XGviTPOJbrqkN5Irf0eXej1qKsK7e4PdsOx2Jsd79QQS20lmd/Wexd MmFJ5UtM2kHMKywc=; Received: from mail-ed1-f51.google.com ([209.85.208.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1o4gxQ-0001qC-CJ for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 10:54:41 +0000 Received: by mail-ed1-f51.google.com with SMTP id e2so2916427edv.3 for ; Fri, 24 Jun 2022 03:54:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hSq9du6lOm59KO1pOHZERWMvx9694k8l8WwCdv1g5IM=; b=Nxlo5+4omHxODNLRJrvGNKq7GBQ1QhIeM96jBWEdz69gR5mmz9BOkwld6RlHw0zMHF +qGEcYLW0vlr9QG2fM8c+nNBKFE+bllI888oYumLSPj+di4np+4JgjrSeNV3QuZTEdGX cvG7EliIs2ck2YuNFeTXJyDi8aXOKI+rRA6IXUPtqoHicbYys8il05O8obHAGHnKzQ2S +6NryhKib3G2d/ZS/73Uzl5doI1es2UspOAPpgL8FeDMBKocA5TA7BDtDGFtdqDcc08c yYJ0Kf8fmkxVpkWVpnrJUNP4GHwKb4CRVVhejNxz4T4/mQfU3IvFw7oXj1XrNg6ubNNU 9bIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hSq9du6lOm59KO1pOHZERWMvx9694k8l8WwCdv1g5IM=; b=4zLslqGvrBvebkxzy/qLt2sJwYjT/WMeZwC8p2cvXYwEHizAZxfC5tEuouEjzFRu4z KK/g706YLsnjGQaSx2HfR+yXeQJwGzMBev1nhlwmXkmdgac9/jxYFNG1oF68wx0tVRRT vzJXXbOeqlrCJKSTZE4MXPcnMVcZkGMca5+CvzEyx+Ry5tgKsH7sMgdLuP+amk3RQcck K2LfM+EF8BRFIpn8yTlUuZ11bTCi4m7WVHSkM+ZXvuDluBSsqlyacTvqZjLVEtTITRO8 hkYMo+U2bFkhPFFCnmBow88ogns3MvEdtwEX3vyMipcbxugzJ1JW+iF6T1G+vY7gNuBq wvuw== X-Gm-Message-State: AJIora/3Fh0Mi9FuFSnfa6mZ6KtOlFLDtgdPFs1w/AheTlxbRjDzI82U v/2cxyLfzc+wWLXvf8iMdJMw5RPHKV4= X-Google-Smtp-Source: AGRyM1t3SXUKpYsJK4FEaoTzYouwc050WBt/SRw4K9ocQJi93tN56MA+6Feccv9xBHqSbbh/FuXY8A== X-Received: by 2002:a05:6402:3490:b0:435:9802:96ac with SMTP id v16-20020a056402349000b00435980296acmr16822012edc.40.1656068069548; Fri, 24 Jun 2022 03:54:29 -0700 (PDT) Received: from wardragon.ccd.uniroma2.it (wardragon-m.ccd.uniroma2.it. [160.80.8.176]) by smtp.gmail.com with ESMTPSA id h6-20020aa7cdc6000000b00435720b7a1csm1745317edw.20.2022.06.24.03.54.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Jun 2022 03:54:28 -0700 (PDT) From: Paolo Cerrito To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Jun 2022 12:49:41 +0200 Message-Id: <20220624104940.2885435-1-wardragon78@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: paolo "Changes from v1: changed sprintf for logging to plugin_log " change to reflect current head openvpn repository Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [wardragon78[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wardragon78[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.51 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.51 listed in list.dnswl.org] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o4gxQ-0001qC-CJ Subject: [Openvpn-devel] [PATCH v2] Insert client connection data into PAM environment v2 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: paolo Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: paolo "Changes from v1: changed sprintf for logging to plugin_log " change to reflect current head openvpn repository this patch put remote host ip into pam environment, so this make pam module able to use it. in simple, this patch get ip (ipv4 and ipv6) from openvpn, put into pam environment and log this operation. signed-off-by: line. --- src/plugins/auth-pam/auth-pam.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 70339445..c2e66e5c 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -49,7 +49,7 @@ #include #include #include "utils.h" - +#include #include #define DEBUG(verb) ((verb) >= 4) @@ -121,6 +121,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; + char remote[INET6_ADDRSTRLEN]; const struct name_value_list *name_value_list; }; @@ -529,6 +530,11 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha const char *username = get_env("username", envp); const char *password = get_env("password", envp); const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : ""; + const char *remote = get_env("untrusted_ip6", envp); + + if (remote == NULL){ + remote = get_env("untrusted_ip", envp); //if Null, try to take ipv4 if not set ipv6 + } /* should we do deferred auth? * yes, if there is "auth_control_file" and "deferred_auth_pam" env @@ -554,7 +560,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha || send_string(context->foreground_fd, username) == -1 || send_string(context->foreground_fd, password) == -1 || send_string(context->foreground_fd, common_name) == -1 - || send_string(context->foreground_fd, auth_control_file) == -1) + || send_string(context->foreground_fd, auth_control_file) == -1 + || send_string(context->foreground_fd, remote) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth info to background process"); } @@ -789,8 +796,16 @@ pam_auth(const char *service, const struct user_pass *up) status = pam_start(service, name_value_list_provided ? NULL : up->username, &conv, &pamh); if (status == PAM_SUCCESS) { + /* Set PAM_RHOST environment variable */ + if (*(up->remote)) + { + status = pam_set_item(pamh, PAM_RHOST, up->remote); + } /* Call PAM to verify username/password */ - status = pam_authenticate(pamh, 0); + if (status == PAM_SUCCESS) + { + status = pam_authenticate(pamh, 0); + } if (status == PAM_SUCCESS) { status = pam_acct_mgmt(pamh, 0); @@ -956,7 +971,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * if (recv_string(fd, up.username, sizeof(up.username)) == -1 || recv_string(fd, up.password, sizeof(up.password)) == -1 || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1 - || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1) + || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1 + || recv_string(fd, up.remote, sizeof(up.remote)) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting", command); @@ -970,6 +986,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * up.username, up.password); #else plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER: %s", up.username); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: REMOTE: %s", up.remote); #endif }