Add PAM_RHOST support

Supplies the IP address that an authentication event is received from as the PAM parameter PAM_RHOST for PAM-capable systems.
2022-04-12 12:37:30 +01:00 · 2022-04-12 12:37:30 +01:00 · a4c6c36cf2
commit a4c6c36cf2
parent 79bec8110c
7 changed files with 30 additions and 12 deletions
--- a/sesman/auth.h
+++ b/sesman/auth.h
@ -32,11 +32,13 @@
 * @brief Validates user's password
 * @param user user's login name
 * @param pass user's password
+ * @param client_ip IP address of connecting client (or ""/NULL if not known)
 * @return non-zero handle on success, 0 on failure
 *
 */
 long
-auth_userpass(const char *user, const char *pass, int *errorcode);
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode);

 /**
 *
--- a/sesman/scp_process.c
+++ b/sesman/scp_process.c
@ -75,7 +75,7 @@ process_gateway_request(struct trans *trans)
        LOG(LOG_LEVEL_INFO, "Received authentication request for user: %s",
            username);

-        data = auth_userpass(username, password, &errorcode);
+        data = auth_userpass(username, password, ip_addr, &errorcode);
        if (data)
        {
            if (1 == access_login_allowed(username))
@ -133,7 +133,7 @@ process_create_session_request(struct trans *trans)
            SCP_SESSION_TYPE_TO_STR(sp.type),
            sp.username);

-        data = auth_userpass(sp.username, password, &errorcode);
+        data = auth_userpass(sp.username, password, sp.ip_addr, &errorcode);
        if (data)
        {
            s_item = session_get_bydata(&sp);
@ -219,7 +219,7 @@ process_list_sessions_request(struct trans *trans)
        LOG(LOG_LEVEL_INFO,
            "Received request to list sessions for user %s", username);

-        data = auth_userpass(username, password, &errorcode);
+        data = auth_userpass(username, password, NULL, &errorcode);
        if (data)
        {
            struct scp_session_info *info = NULL;
--- a/sesman/verify_user.c
+++ b/sesman/verify_user.c
@ -51,7 +51,8 @@ auth_account_disabled(struct spwd *stp);
 /******************************************************************************/
 /* returns boolean */
 long
-auth_userpass(const char *user, const char *pass, int *errorcode)
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
    const char *encr;
    const char *epass;
--- a/sesman/verify_user_bsd.c
+++ b/sesman/verify_user_bsd.c
@ -46,7 +46,8 @@
 /******************************************************************************/
 /* returns boolean */
 long
-auth_userpass(const char *user, const char *pass, int *errorcode)
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
    int ret = auth_userokay(user, NULL, "auth-xrdp", pass);
    return ret;
--- a/sesman/verify_user_kerberos.c
+++ b/sesman/verify_user_kerberos.c
@ -400,8 +400,9 @@ cleanup:

 /******************************************************************************/
 /* returns boolean */
-int
-auth_userpass(const char *user, const char *pass, int *errorcode)
+long
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
    struct k_opts opts;
    struct k5_data k5;
--- a/sesman/verify_user_pam.c
+++ b/sesman/verify_user_pam.c
@ -32,6 +32,7 @@
 #include "os_calls.h"
 #include "log.h"
 #include "string_calls.h"
+#include "auth.h"

 #include <stdio.h>
 #include <security/pam_appl.h>
@ -212,7 +213,8 @@ get_service_name(char *service_name)
 Stores the detailed error code in the errorcode variable*/

 long
-auth_userpass(const char *user, const char *pass, int *errorcode)
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
    int error;
    struct t_auth_info *auth_info;
@ -239,10 +241,20 @@ auth_userpass(const char *user, const char *pass, int *errorcode)
        return 0;
    }

+    if (client_ip != NULL && client_ip[0] != '\0')
+    {
+        error = pam_set_item(auth_info->ph, PAM_RHOST, client_ip);
+        if (error != PAM_SUCCESS)
+        {
+            LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_RHOST) failed: %s",
+                pam_strerror(auth_info->ph, error));
+        }
+    }
+
    error = pam_set_item(auth_info->ph, PAM_TTY, service_name);
    if (error != PAM_SUCCESS)
    {
-        LOG(LOG_LEVEL_ERROR, "pam_set_item failed: %s",
+        LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_TTY) failed: %s",
            pam_strerror(auth_info->ph, error));
    }

--- a/sesman/verify_user_pam_userpass.c
+++ b/sesman/verify_user_pam_userpass.c
@ -38,8 +38,9 @@

 /******************************************************************************/
 /* returns boolean */
-int
-auth_userpass(const char *user, const char *pass, int *errorcode)
+long
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
    pam_handle_t *pamh;
    pam_userpass_t userpass;