From patchwork Mon Oct 10 01:27:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Cerrito X-Patchwork-Id: 2809 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wCg1CgIQRGMuNQAAIUCqbw (envelope-from ) for ; Mon, 10 Oct 2022 08:28:50 -0400 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id EGz3CQIQRGNMfgAAalYnBA (envelope-from ) for ; Mon, 10 Oct 2022 08:28:50 -0400 Received: from smtp14.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTPS id YFFGAwIQRGNzDQAAPj+4aA (envelope-from ) for ; Mon, 10 Oct 2022 08:28:50 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 17823fb2-4897-11ed-8330-52540057873d-1-1 Received: from [216.105.38.7] ([216.105.38.7:45418] helo=lists.sourceforge.net) by smtp14.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 39/5C-05902-10014436; Mon, 10 Oct 2022 08:28:49 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ohrsr-0003dN-M4; Mon, 10 Oct 2022 12:27:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ohrsp-0003dG-L5 for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 12:27:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3H2y/wk+Qilot0WQv7A8Uv7xS1dwrZsbv39M90OuVdw=; b=J3y9dXYumOMmVHZfJxTQhYEra6 EORKA9pbkFrkfD8fwM0wDZs97jdA4OcT7C0h+itkMnZPxOwl6qU76W1kDH0mAxG0CsSoiCy8BTOTJ e2nEg38KcmYihwtpj9tylI+uPC3iJKQnBTtABmnkZoPpfTuYNsewVTayh5aJ+Nw8adJg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=3H2y/wk+Qilot0WQv7A8Uv7xS1dwrZsbv39M90OuVdw=; b=G NnN6a1Iyg5K44+u/glHj5A2h76DPuYQYmS0mxQ83FTVoZKG7OqVLHPh9bOErLnBOMJUOghQIh3bXL SrYCMh6VBWv6EBb81fmELTzTFEHQcEax0mBoLt1p8OGa+PJvIpAVJrdZJ0swenvGn7tUDSKNXbhQN CPoHJkPbopEETnO8=; Received: from mail-ej1-f51.google.com ([209.85.218.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1ohrsn-0006kn-N7 for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 12:27:47 +0000 Received: by mail-ej1-f51.google.com with SMTP id y14so7376004ejd.9 for ; Mon, 10 Oct 2022 05:27:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=3H2y/wk+Qilot0WQv7A8Uv7xS1dwrZsbv39M90OuVdw=; b=p0A5PPopooyr8d1GYhX8yCl6CbNQz92uJw5WJ/Qvc6Q8rpVYW5/t+cljGFsbMh1VOE lvK5/f0y24Xz35kcZqbO3RdcCk+15JfqYVmMficqhUuY55mUa2ZiUzA7HzFot5RiMnl/ 72R5+okW6HNZvZGKVSQy5EzQvmjfcwYjHtCDQr2LtOL/mS10uwoGhs68nlG5n6tEGhs8 M7Ntk+GOfYHNOUAArlzh3b+C8HDmvqi5AkQyUcXg3zxEjaUe6broOFwtSJ/StbL3brkV MGg0/3kWWFrH36kUFDMzwUcb6SL9G+YOzbIUpzIoRSJH4j1rBlEFDz5EunClQOLicrcr JDSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3H2y/wk+Qilot0WQv7A8Uv7xS1dwrZsbv39M90OuVdw=; b=MYmtAtaT9dYFwF43yrKRuvGYXvfe2u+XwEKvwtyxPbcuE8zjAFIETgAaYoBE6swtW4 LgyidC6rmKggI5+bMFTAylLVMluAq76OF6jTTUXiOe9bjUzdT0DrKTqVLgfLL48Mwppc IatUIpf2En7LOo4h7fj64CdG3XewU+5UDgwsq20Go+uQ24lztTMALcWSFadYc6Q10W0U XzPOA3cHRfOPNMRXGI/jVLYRCVSqnYy7c9cDHmMO6L6A2L1odbun6tgnY/wpNvr/3n23 t1n7ZM0GKg3peRgEDTeq/0FF5ovOeDeIGBasb7E6SKC1tSeEHyjjFscfBkAQpvGoD9pb Lifg== X-Gm-Message-State: ACrzQf3a0KbFQBAOdSl8v0Jl9ACUC8UKycsk+2w1PfYmBIL3w6Juxnx1 09bwshVXAsvN8CudPS9UxV1/3hCzJuy5SnCF X-Google-Smtp-Source: AMsMyM5jkjCuRnIKsqqNut9iGQo1Yc749l+rNxdDF55W2V8Yr7c0s4p/x6JXkDSRWyZagGp/+dKrMQ== X-Received: by 2002:a17:907:75dc:b0:78b:339:63c7 with SMTP id jl28-20020a17090775dc00b0078b033963c7mr14454347ejc.480.1665404858720; Mon, 10 Oct 2022 05:27:38 -0700 (PDT) Received: from wdlaptop0.uniroma1.it ([151.100.100.9]) by smtp.gmail.com with ESMTPSA id e13-20020a170906314d00b0077205dd15basm5322533eje.66.2022.10.10.05.27.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Oct 2022 05:27:38 -0700 (PDT) From: Paolo Cerrito To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Oct 2022 14:27:46 +0200 Message-Id: <20221010122745.19809-1-wardragon78@gmail.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: paolo - styled code as openvpn - added check for remote, if NULL after all get_env, put to point to empy string Signed-off-by: Paolo Cerrito --- src/plugins/auth-pam/auth-pam.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) Content analysis details: (0.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [wardragon78[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wardragon78[at]gmail.com] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.218.51 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.218.51 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1ohrsn-0006kn-N7 Subject: [Openvpn-devel] [PATCH v3] Insert client connection data into PAM environment X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: paolo Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: paolo - styled code as openvpn - added check for remote, if NULL after all get_env, put to point to empy string Signed-off-by: Paolo Cerrito Acked-by: Gert Doering --- src/plugins/auth-pam/auth-pam.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 70339445..f90ffc5c 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -49,7 +49,7 @@ #include #include #include "utils.h" - +#include #include #define DEBUG(verb) ((verb) >= 4) @@ -121,6 +121,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; + char remote[INET6_ADDRSTRLEN]; const struct name_value_list *name_value_list; }; @@ -529,6 +530,14 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha const char *username = get_env("username", envp); const char *password = get_env("password", envp); const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : ""; + const char *remote = get_env("untrusted_ip6", envp); + + if (remote == NULL) + { + remote = get_env("untrusted_ip", envp); + } + + if (remote == NULL) remote=""; /* should we do deferred auth? * yes, if there is "auth_control_file" and "deferred_auth_pam" env @@ -554,7 +563,8 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha || send_string(context->foreground_fd, username) == -1 || send_string(context->foreground_fd, password) == -1 || send_string(context->foreground_fd, common_name) == -1 - || send_string(context->foreground_fd, auth_control_file) == -1) + || send_string(context->foreground_fd, auth_control_file) == -1 + || send_string(context->foreground_fd, remote) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth info to background process"); } @@ -789,8 +799,16 @@ pam_auth(const char *service, const struct user_pass *up) status = pam_start(service, name_value_list_provided ? NULL : up->username, &conv, &pamh); if (status == PAM_SUCCESS) { + /* Set PAM_RHOST environment variable */ + if (*(up->remote)) + { + status = pam_set_item(pamh, PAM_RHOST, up->remote); + } /* Call PAM to verify username/password */ - status = pam_authenticate(pamh, 0); + if (status == PAM_SUCCESS) + { + status = pam_authenticate(pamh, 0); + } if (status == PAM_SUCCESS) { status = pam_acct_mgmt(pamh, 0); @@ -956,7 +974,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * if (recv_string(fd, up.username, sizeof(up.username)) == -1 || recv_string(fd, up.password, sizeof(up.password)) == -1 || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1 - || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1) + || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1 + || recv_string(fd, up.remote, sizeof(up.remote)) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting", command); @@ -970,6 +989,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * up.username, up.password); #else plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER: %s", up.username); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: REMOTE: %s", up.remote); #endif }