From patchwork Mon Jun 20 00:25:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Cerrito X-Patchwork-Id: 2513 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id WFr4CbJLsGIYKQAAqwncew (envelope-from ) for ; Mon, 20 Jun 2022 06:28:02 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id gBnfCbJLsGJcLQAAIcMcQg (envelope-from ) for ; Mon, 20 Jun 2022 06:28:02 -0400 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id uGyfCbJLsGJxVgAA8Zzt7w (envelope-from ) for ; Mon, 20 Jun 2022 06:28:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: a95905d6-f083-11ec-90bf-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:35028] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B5/24-19047-1BB40B26; Mon, 20 Jun 2022 06:28:01 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3Ebm-0008SE-P4; Mon, 20 Jun 2022 10:26:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3Ebl-0008S8-8P for openvpn-devel@lists.sourceforge.net; Mon, 20 Jun 2022 10:26:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a3tazlohI5OZJQNXoQuetXoSWG781RQCiwQoMus7yEY=; b=L86A48TS2HOATi6GQ1Zn/LWq57 Oc6pV89hHtsO9OSUUlfh2SyYZj7J5MRE97kOrqEhIAfKAvFA1cId6OJnRxfSUuJH0UjA31mNJcCjx 3YogU1Wg0vFFIqdwehF/79l1eI17nTrdPIZlWJHbo72ddMDyyPaZk9LHb4asGXjp6Em8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=a3tazlohI5OZJQNXoQuetXoSWG781RQCiwQoMus7yEY=; b=J 1gh3MhmvLYcFPdbNQiZmmERRp30ZzgJTPlSg6vrbB3RLFgA7D90n7o6ghFXxHlcdFex1qajtLBCme VAQot1/niSUYnvUUXFCzMsD5H+EAZvznCzZQnLC0ENz1/ZvkeBYAC1+eStvRQBKSlF2slDPpb+UIi LijZsrmAAoVTkOz4=; Received: from mail-ed1-f48.google.com ([209.85.208.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1o3Ebg-008An8-Oe for openvpn-devel@lists.sourceforge.net; Mon, 20 Jun 2022 10:26:13 +0000 Received: by mail-ed1-f48.google.com with SMTP id e2so3515755edv.3 for ; Mon, 20 Jun 2022 03:26:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=a3tazlohI5OZJQNXoQuetXoSWG781RQCiwQoMus7yEY=; b=n2+2RkLCAvqYsqlh2kPsA21cvlFgZMCum0VlE6n7GOKGnMuKbl7TxAfMut9SzQW4aj fLHq8T1lV6K/+gkfVXrKQfSidYjAJoxnPLnTB+Nogi/C6jJSQarq/mNEDuhXeqqSJYM4 ElUwOcY+dQzQxq5ok3gXFkn8M/F1ZAUgnMkPGOXxFXGoaQGo6Nc3OlzBZW18YEXRHJDe 4h1H3elrQZAU/kxK9oJEAYiV59eg+wdLRRZGFXRfEwo3AySsHOlmnnbA/AtG2ZmjXJgA tXF3UsVbdihjtma21/BhEgNcVeArkrMR2HAmGdadJ3g+sCbjqxpVy/u8rdPIUifqz0gW hZSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=a3tazlohI5OZJQNXoQuetXoSWG781RQCiwQoMus7yEY=; b=j4ZBn8gUb/gOtNBoPr0RNtZ61h/qRZGYPN7bXG3jjUrS1modV79Y+mJ5TTMY6+Ziyt 24pt8rAKwbWQtt+OulcVYDrLmq3t2tV7JUc+dbXi09mJTMIsHCfcsuqBnMOKm/z27bg3 jZZs2Yn5dy30JCSSIYkW/ZOli7MVw1bJtZ8gu5Hu22zVhitzArMJpV2GbwD83JK6g8ne LzCY9hziw2N7ZLbJBT++yF4c3ETu4o4/0U73oGtnhgrRzjpcOTgSeay/+z7uauKO0MzC pp6ooALAAINRruXJlQzxNmVIfvcD5FFk4l9Colk8ENwI9VZ9QwKa82b2A1aM/ApfikdW mpEA== X-Gm-Message-State: AJIora8HlR7sRM5RfQedCDHPGM/I2UWWjKs0qdCxok+kiCa/69W3Ofwh c62g3+7WydAjb9L7a83UZwrFFwP+OY/kiQ== X-Google-Smtp-Source: AGRyM1sa8LRPYDO02UEKtHghpwpLtEhnJv3BbrZGjjwXj9Fn4FmnZspx3FO0a2LrHBf7GaZsXUwonw== X-Received: by 2002:a05:6402:e87:b0:435:5dda:9428 with SMTP id h7-20020a0564020e8700b004355dda9428mr20498881eda.6.1655720761992; Mon, 20 Jun 2022 03:26:01 -0700 (PDT) Received: from wardragon.ccd.uniroma2.it (wardragon-m.ccd.uniroma2.it. [160.80.8.176]) by smtp.gmail.com with ESMTPSA id s18-20020a170906169200b00705976bcd01sm5624958ejd.206.2022.06.20.03.26.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Jun 2022 03:26:01 -0700 (PDT) From: Paolo Cerrito To: openvpn-devel@lists.sourceforge.net Date: Mon, 20 Jun 2022 12:25:56 +0200 Message-Id: <20220620102556.2606520-1-wardragon78@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: paolo --- src/plugins/auth-pam/auth-pam.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 70339445..f91a2f02 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -49,7 +49, [...] Content analysis details: (0.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [wardragon78[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wardragon78[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.48 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.48 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1o3Ebg-008An8-Oe Subject: [Openvpn-devel] [PATCH] Insert client connection data into PAM environment X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: paolo Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: paolo --- src/plugins/auth-pam/auth-pam.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 70339445..f91a2f02 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -49,7 +49,7 @@ #include #include #include "utils.h" - +#include #include #define DEBUG(verb) ((verb) >= 4) @@ -121,6 +121,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; + char remote[INET6_ADDRSTRLEN]; const struct name_value_list *name_value_list; }; @@ -529,6 +530,11 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha const char *username = get_env("username", envp); const char *password = get_env("password", envp); const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : ""; + const char *remote = get_env("untrusted_ip6", envp); + + if (remote == NULL){ + remote = get_env("untrusted_ip", envp); //if Null, try to take ipv4 if not set ipv6 + } /* should we do deferred auth? * yes, if there is "auth_control_file" and "deferred_auth_pam" env @@ -555,6 +561,7 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha || send_string(context->foreground_fd, password) == -1 || send_string(context->foreground_fd, common_name) == -1 || send_string(context->foreground_fd, auth_control_file) == -1) + || send_string(context->foreground_fd, remote) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth info to background process"); } @@ -789,8 +796,16 @@ pam_auth(const char *service, const struct user_pass *up) status = pam_start(service, name_value_list_provided ? NULL : up->username, &conv, &pamh); if (status == PAM_SUCCESS) { + /* Set PAM_RHOST environment variable */ + if (*(up->remote)) + { + status = pam_set_item(pamh, PAM_RHOST, up->remote); + } /* Call PAM to verify username/password */ - status = pam_authenticate(pamh, 0); + if (status == PAM_SUCCESS) + { + status = pam_authenticate(pamh, 0); + } if (status == PAM_SUCCESS) { status = pam_acct_mgmt(pamh, 0); @@ -957,6 +972,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * || recv_string(fd, up.password, sizeof(up.password)) == -1 || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1 || recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1) + || recv_string(fd, up.remote, sizeof(up.remote)) == -1) { plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting", command); @@ -970,6 +986,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * up.username, up.password); #else plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER: %s", up.username); + plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: REMOTE: %s", up.remote); #endif }