Add PAM_RHOST support

Supplies the IP address that an authentication event is
received from as the PAM parameter PAM_RHOST for PAM-capable systems.
This commit is contained in:
matt335672 2022-04-12 12:37:30 +01:00
parent 79bec8110c
commit a4c6c36cf2
7 changed files with 30 additions and 12 deletions

View File

@ -32,11 +32,13 @@
* @brief Validates user's password
* @param user user's login name
* @param pass user's password
* @param client_ip IP address of connecting client (or ""/NULL if not known)
* @return non-zero handle on success, 0 on failure
*
*/
long
auth_userpass(const char *user, const char *pass, int *errorcode);
auth_userpass(const char *user, const char *pass,
const char *client_ip, int *errorcode);
/**
*

View File

@ -75,7 +75,7 @@ process_gateway_request(struct trans *trans)
LOG(LOG_LEVEL_INFO, "Received authentication request for user: %s",
username);
data = auth_userpass(username, password, &errorcode);
data = auth_userpass(username, password, ip_addr, &errorcode);
if (data)
{
if (1 == access_login_allowed(username))
@ -133,7 +133,7 @@ process_create_session_request(struct trans *trans)
SCP_SESSION_TYPE_TO_STR(sp.type),
sp.username);
data = auth_userpass(sp.username, password, &errorcode);
data = auth_userpass(sp.username, password, sp.ip_addr, &errorcode);
if (data)
{
s_item = session_get_bydata(&sp);
@ -219,7 +219,7 @@ process_list_sessions_request(struct trans *trans)
LOG(LOG_LEVEL_INFO,
"Received request to list sessions for user %s", username);
data = auth_userpass(username, password, &errorcode);
data = auth_userpass(username, password, NULL, &errorcode);
if (data)
{
struct scp_session_info *info = NULL;

View File

@ -51,7 +51,8 @@ auth_account_disabled(struct spwd *stp);
/******************************************************************************/
/* returns boolean */
long
auth_userpass(const char *user, const char *pass, int *errorcode)
auth_userpass(const char *user, const char *pass,
const char *client_ip, int *errorcode)
{
const char *encr;
const char *epass;

View File

@ -46,7 +46,8 @@
/******************************************************************************/
/* returns boolean */
long
auth_userpass(const char *user, const char *pass, int *errorcode)
auth_userpass(const char *user, const char *pass,
const char *client_ip, int *errorcode)
{
int ret = auth_userokay(user, NULL, "auth-xrdp", pass);
return ret;

View File

@ -400,8 +400,9 @@ cleanup:
/******************************************************************************/
/* returns boolean */
int
auth_userpass(const char *user, const char *pass, int *errorcode)
long
auth_userpass(const char *user, const char *pass,
const char *client_ip, int *errorcode)
{
struct k_opts opts;
struct k5_data k5;

View File

@ -32,6 +32,7 @@
#include "os_calls.h"
#include "log.h"
#include "string_calls.h"
#include "auth.h"
#include <stdio.h>
#include <security/pam_appl.h>
@ -212,7 +213,8 @@ get_service_name(char *service_name)
Stores the detailed error code in the errorcode variable*/
long
auth_userpass(const char *user, const char *pass, int *errorcode)
auth_userpass(const char *user, const char *pass,
const char *client_ip, int *errorcode)
{
int error;
struct t_auth_info *auth_info;
@ -239,10 +241,20 @@ auth_userpass(const char *user, const char *pass, int *errorcode)
return 0;
}
if (client_ip != NULL && client_ip[0] != '\0')
{
error = pam_set_item(auth_info->ph, PAM_RHOST, client_ip);
if (error != PAM_SUCCESS)
{
LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_RHOST) failed: %s",
pam_strerror(auth_info->ph, error));
}
}
error = pam_set_item(auth_info->ph, PAM_TTY, service_name);
if (error != PAM_SUCCESS)
{
LOG(LOG_LEVEL_ERROR, "pam_set_item failed: %s",
LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_TTY) failed: %s",
pam_strerror(auth_info->ph, error));
}

View File

@ -38,8 +38,9 @@
/******************************************************************************/
/* returns boolean */
int
auth_userpass(const char *user, const char *pass, int *errorcode)
long
auth_userpass(const char *user, const char *pass,
const char *client_ip, int *errorcode)
{
pam_handle_t *pamh;
pam_userpass_t userpass;