A little problem, which is bugging me: when using PAM authentication, Dovecot (0.99.5) does not set the PAM_RHOST item, so the PAM modules cannot know who the client is. We need this for some PAM module doing access control.
Changing passdb-pam.c to pam_set_item it seems trivial, but I'm bugged as to how to get the client name from there. It seems not to be available in the auth_request strut or anything from there. I tried even adding an upwards reference from there to the struct client *, but then I see that there are three structs named client and two structs named auth_request, and somehow I got into trouble of passing it cleanly.
Any help or guidance for it is greatly appreciated. (I know Dovecot 0.99 is not really under development and such stuff is done in Dovecot 1.0 now, but that's not yet stable and for now we're using 0.99 where it would help).
Thanks, -- Tom
-- Tom Alsberg - hacker (being the best description fitting this space) Web page: http://www.cs.huji.ac.il/~alsbergt/ DISCLAIMER: The above message does not even necessarily represent what my fingers have typed on the keyboard, save anything further.
On Mon, 2004-06-14 at 09:53, Tom Alsberg wrote:
Changing passdb-pam.c to pam_set_item it seems trivial, but I'm bugged as to how to get the client name from there. It seems not to be available in the auth_request strut or anything from there. I tried even adding an upwards reference from there to the struct client *, but then I see that there are three structs named client and two structs named auth_request, and somehow I got into trouble of passing it cleanly.
See Chernomorets Sergey's recent post about vpopmail. It has client_ip passed all the way to auth_request. I'll also commit this to CVS: Index: passdb-pam.c =================================================================== RCS file: /home/cvs/dovecot/src/auth/passdb-pam.c,v retrieving revision 1.15 diff -u -r1.15 passdb-pam.c --- passdb-pam.c 31 May 2004 18:57:25 -0000 1.15 +++ passdb-pam.c 15 Jun 2004 03:12:37 -0000 @@ -15,6 +15,7 @@ #include "common.h" #include "buffer.h" #include "ioloop.h" +#include "network.h" #include "passdb.h" #include "mycrypt.h" #include "safe-memset.h" @@ -204,7 +205,7 @@ } static void -pam_verify_plain_child(const char *service, const char *user, +pam_verify_plain_child(const struct auth_request *request, const char *service, const char *password, int fd) { pam_handle_t *pamh; @@ -219,15 +220,21 @@ conv.conv = pam_userpass_conv; conv.appdata_ptr = &userpass; - userpass.user = user; + userpass.user = request->user; userpass.pass = password; - status = pam_start(service, user, &conv, &pamh); + status = pam_start(service, request->user, &conv, &pamh); if (status != PAM_SUCCESS) { result = PASSDB_RESULT_INTERNAL_FAILURE; str = t_strdup_printf("pam_start() failed: %s", pam_strerror(pamh, status)); } else { +#ifdef PAM_RHOST + const char *host = net_ip2addr(&request->remote_ip); + if (host != NULL) + pam_set_item(pamh, PAM_RHOST, host); +#endif + status = pam_auth(pamh, &str); if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) { /* FIXME: check for PASSDB_RESULT_UNKNOWN_USER @@ -360,7 +367,7 @@ if (pid == 0) { (void)close(fd[0]); - pam_verify_plain_child(service, request->user, password, fd[1]); + pam_verify_plain_child(request, service, password, fd[1]); _exit(0); }
participants (2)
-
Timo Sirainen
-
Tom Alsberg