to improve forensic log info i want to set the PAM_RHOST value to the
remote ip (which pam logs as rhost=foo in failure messages). i didn't
look to see if anything has been done in this way on CVS because i'm still
on 0.99.10.6.
below is a bit of a hack. in some sense the remote_ip might make more
sense in the AUTH_LOGIN_REQUEST_NEW packet rather than the continue
packet... but that looked like i'd have to change more code :)
btw -- is there anything which stops mech_plain_auth_continue from doing a
somewhat unbounded pstrdup if you send "a\0b" for the auth string?
-dean
diff -rpu dovecot-0.99.10.6.deborig/debian/changelog
dovecot-0.99.10.6/debian/changelog
--- dovecot-0.99.10.6.deborig/debian/changelog 2004-07-08 18:11:55.000000000
-0700
+++ dovecot-0.99.10.6/debian/changelog 2004-07-08 18:34:40.000000000 -0700
@@ -1,3 +1,9 @@
+dovecot (0.99.10.6-3.dg1) unstable; urgency=low
+
+ * hack a solution to pass PAM_RHOST the remote ip
+
+ -- dean gaudet <dean at arctic.org> Thu, 8 Jul 2004 18:34:26 -0700
+
dovecot (0.99.10.6-3) unstable; urgency=low
* Patched so dovecot follows symlinks to directories again.
diff -rpu dovecot-0.99.10.6.deborig/src/auth/auth-login-interface.h
dovecot-0.99.10.6/src/auth/auth-login-interface.h
--- dovecot-0.99.10.6.deborig/src/auth/auth-login-interface.h 2003-05-18
05:26:28.000000000 -0700
+++ dovecot-0.99.10.6/src/auth/auth-login-interface.h 2004-07-08
18:32:22.000000000 -0700
@@ -1,6 +1,8 @@
#ifndef __AUTH_LOGIN_INTERFACE_H
#define __AUTH_LOGIN_INTERFACE_H
+#include "network.h"
+
/* max. size for auth_login_request_continue.data[] */
#define AUTH_LOGIN_MAX_REQUEST_DATA_SIZE 4096
@@ -57,6 +59,8 @@ struct auth_login_request_continue {
enum auth_login_request_type type; /* AUTH_LOGIN_REQUEST_CONTINUE */
unsigned int id;
+ struct ip_addr remote_ip;
+
size_t data_size;
/* unsigned char data[]; */
};
diff -rpu dovecot-0.99.10.6.deborig/src/auth/mech-plain.c
dovecot-0.99.10.6/src/auth/mech-plain.c
--- dovecot-0.99.10.6.deborig/src/auth/mech-plain.c 2003-05-18
05:26:28.000000000 -0700
+++ dovecot-0.99.10.6/src/auth/mech-plain.c 2004-07-08 18:25:14.000000000 -0700
@@ -21,6 +21,7 @@ mech_plain_auth_continue(struct auth_req
size_t i, count, len;
auth_request->callback = callback;
+ auth_request->remote_ip = request->remote_ip;
/* authorization ID \0 authentication ID \0 pass.
we'll ignore authorization ID for now. */
diff -rpu dovecot-0.99.10.6.deborig/src/auth/mech.h
dovecot-0.99.10.6/src/auth/mech.h
--- dovecot-0.99.10.6.deborig/src/auth/mech.h 2003-05-18 05:26:28.000000000
-0700
+++ dovecot-0.99.10.6/src/auth/mech.h 2004-07-08 18:31:42.000000000 -0700
@@ -1,6 +1,7 @@
#ifndef __MECH_H
#define __MECH_H
+#include "network.h"
#include "auth-login-interface.h"
struct login_connection;
@@ -11,6 +12,7 @@ typedef void mech_callback_t(struct auth
struct auth_request {
pool_t pool;
char *user;
+ struct ip_addr remote_ip;
struct login_connection *conn;
unsigned int id;
diff -rpu dovecot-0.99.10.6.deborig/src/auth/passdb-pam.c
dovecot-0.99.10.6/src/auth/passdb-pam.c
--- dovecot-0.99.10.6.deborig/src/auth/passdb-pam.c 2003-11-08
06:17:51.000000000 -0800
+++ dovecot-0.99.10.6/src/auth/passdb-pam.c 2004-07-08 18:32:52.000000000 -0700
@@ -166,13 +166,23 @@ static int pam_userpass_conv(int num_msg
return PAM_SUCCESS;
}
-static int pam_auth(pam_handle_t *pamh, const char *user, const char **error)
+static int pam_auth(pam_handle_t *pamh, const char *user,
+ const struct ip_addr *remote_ip, const char **error)
{
void *item;
int status;
+ const char *addr;
*error = NULL;
+ if ((addr = net_ip2addr(remote_ip))
+ && (status = pam_set_item(pamh, PAM_RHOST, addr))
+ != PAM_SUCCESS) {
+ *error = t_strdup_printf("pam_set_item(PAM_RHOST, %s) failed: %s",
+ addr, pam_strerror(pamh, status));
+ return status;
+ }
+
if ((status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
*error = t_strdup_printf("pam_authenticate(%s) failed: %s",
user, pam_strerror(pamh, status));
@@ -205,7 +215,8 @@ static int pam_auth(pam_handle_t *pamh,
static void
pam_verify_plain_child(const char *service, const char *user,
- const char *password, int fd)
+ const char *password, const struct ip_addr *remote_ip,
+ int fd)
{
pam_handle_t *pamh;
struct pam_userpass userpass;
@@ -228,7 +239,7 @@ pam_verify_plain_child(const char *servi
str = t_strdup_printf("pam_start(%s) failed: %s",
user, pam_strerror(pamh, status));
} else {
- status = pam_auth(pamh, user, &str);
+ status = pam_auth(pamh, user, remote_ip, &str);
if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) {
/* FIXME: check for PASSDB_RESULT_UNKNOWN_USER
somehow? */
@@ -353,7 +364,7 @@ pam_verify_plain(struct auth_request *re
if (pid == 0) {
(void)close(fd[0]);
- pam_verify_plain_child(service, request->user, password, fd[1]);
+ pam_verify_plain_child(service, request->user, password,
&request->remote_ip, fd[1]);
_exit(0);
}
diff -rpu dovecot-0.99.10.6.deborig/src/imap-login/client-authenticate.c
dovecot-0.99.10.6/src/imap-login/client-authenticate.c
--- dovecot-0.99.10.6.deborig/src/imap-login/client-authenticate.c 2003-11-24
11:50:55.000000000 -0800
+++ dovecot-0.99.10.6/src/imap-login/client-authenticate.c 2004-07-08
18:21:19.000000000 -0700
@@ -140,7 +140,7 @@ static void login_callback(struct auth_r
case 0:
/* continue */
ptr = buffer_get_data(client->plain_login, &size);
- auth_continue_request(request, ptr, size);
+ auth_continue_request(request, ptr, size, &client->common.ip);
buffer_set_used_size(client->plain_login, 0);
break;
@@ -270,7 +270,8 @@ static void client_auth_input(void *cont
} else {
auth_continue_request(client->common.auth_request,
buffer_get_data(buf, NULL),
- buffer_get_used_size(buf));
+ buffer_get_used_size(buf),
+ &client->common.ip);
}
/* clear sensitive data */
diff -rpu dovecot-0.99.10.6.deborig/src/login-common/auth-connection.c
dovecot-0.99.10.6/src/login-common/auth-connection.c
--- dovecot-0.99.10.6.deborig/src/login-common/auth-connection.c 2003-05-26
08:27:13.000000000 -0700
+++ dovecot-0.99.10.6/src/login-common/auth-connection.c 2004-07-08
18:33:38.000000000 -0700
@@ -335,13 +335,21 @@ int auth_init_request(enum auth_mech mec
}
void auth_continue_request(struct auth_request *request,
- const unsigned char *data, size_t data_size)
+ const unsigned char *data, size_t data_size,
+ const struct ip_addr *remote_ip)
{
struct auth_login_request_continue auth_request;
/* send continued request to auth */
auth_request.type = AUTH_LOGIN_REQUEST_CONTINUE;
auth_request.id = request->id;
+ if (remote_ip) {
+ auth_request.remote_ip = *remote_ip;
+ }
+ else {
+ memset(&auth_request.remote_ip,
+ 0, sizeof(auth_request.remote_ip));
+ }
auth_request.data_size = data_size;
if (o_stream_send(request->conn->output, &auth_request,
diff -rpu dovecot-0.99.10.6.deborig/src/login-common/auth-connection.h
dovecot-0.99.10.6/src/login-common/auth-connection.h
--- dovecot-0.99.10.6.deborig/src/login-common/auth-connection.h 2003-02-09
23:56:23.000000000 -0800
+++ dovecot-0.99.10.6/src/login-common/auth-connection.h 2004-07-08
18:20:58.000000000 -0700
@@ -48,7 +48,8 @@ int auth_init_request(enum auth_mech mec
const char **error);
void auth_continue_request(struct auth_request *request,
- const unsigned char *data, size_t data_size);
+ const unsigned char *data, size_t data_size,
+ const struct ip_addr *remote_ip);
void auth_abort_request(struct auth_request *request);
diff -rpu dovecot-0.99.10.6.deborig/src/pop3-login/client-authenticate.c
dovecot-0.99.10.6/src/pop3-login/client-authenticate.c
--- dovecot-0.99.10.6.deborig/src/pop3-login/client-authenticate.c 2003-11-24
11:52:09.000000000 -0800
+++ dovecot-0.99.10.6/src/pop3-login/client-authenticate.c 2004-07-08
18:21:32.000000000 -0700
@@ -141,7 +141,7 @@ static void login_callback(struct auth_r
case 0:
ptr = buffer_get_data(client->plain_login, &size);
- auth_continue_request(request, ptr, size);
+ auth_continue_request(request, ptr, size, &client->common.ip);
buffer_set_used_size(client->plain_login, 0);
break;
@@ -259,7 +259,8 @@ static void client_auth_input(void *cont
} else {
auth_continue_request(client->common.auth_request,
buffer_get_data(buf, NULL),
- buffer_get_used_size(buf));
+ buffer_get_used_size(buf),
+ &client->common.ip);
}
/* clear sensitive data */