dovecot - Jun 2004 - PAM_RHOST item

A little problem, which is bugging me:  when using PAM authentication,
Dovecot (0.99.5) does not set the PAM_RHOST item, so the PAM modules
cannot know who the client is.  We need this for some PAM module doing
access control.

Changing passdb-pam.c to pam_set_item it seems trivial, but I'm bugged
as to how to get the client name from there.  It seems not to be
available in the auth_request strut or anything from there.  I tried
even adding an upwards reference from there to the struct client *,
but then I see that there are three structs named client and two
structs named auth_request, and somehow I got into trouble of passing
it cleanly.

Any help or guidance for it is greatly appreciated.  (I know Dovecot
0.99 is not really under development and such stuff is done in Dovecot
1.0 now, but that's not yet stable and for now we're using 0.99 where
it would help).

  Thanks,
  -- Tom

-- 
  Tom Alsberg - hacker (being the best description fitting this space)
  Web page:	http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER:  The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.

On Mon, 2004-06-14 at 09:53, Tom Alsberg wrote:
> Changing passdb-pam.c to pam_set_item it seems trivial, but I'm bugged
> as to how to get the client name from there.  It seems not to be
> available in the auth_request strut or anything from there.  I tried
> even adding an upwards reference from there to the struct client *,
> but then I see that there are three structs named client and two
> structs named auth_request, and somehow I got into trouble of passing
> it cleanly.
See Chernomorets Sergey's recent post about vpopmail. It has client_ip
passed all the way to auth_request. I'll also commit this to CVS:

Index: passdb-pam.c
==================================================================RCS file:
/home/cvs/dovecot/src/auth/passdb-pam.c,v
retrieving revision 1.15
diff -u -r1.15 passdb-pam.c
--- passdb-pam.c	31 May 2004 18:57:25 -0000	1.15
+++ passdb-pam.c	15 Jun 2004 03:12:37 -0000
@@ -15,6 +15,7 @@
 #include "common.h"
 #include "buffer.h"
 #include "ioloop.h"
+#include "network.h"
 #include "passdb.h"
 #include "mycrypt.h"
 #include "safe-memset.h"
@@ -204,7 +205,7 @@
 }
 
 static void
-pam_verify_plain_child(const char *service, const char *user,
+pam_verify_plain_child(const struct auth_request *request, const char *service,
 		       const char *password, int fd)
 {
 	pam_handle_t *pamh;
@@ -219,15 +220,21 @@
 	conv.conv = pam_userpass_conv;
 	conv.appdata_ptr = &userpass;
 
-	userpass.user = user;
+	userpass.user = request->user;
 	userpass.pass = password;
 
-	status = pam_start(service, user, &conv, &pamh);
+	status = pam_start(service, request->user, &conv, &pamh);
 	if (status != PAM_SUCCESS) {
 		result = PASSDB_RESULT_INTERNAL_FAILURE;
 		str = t_strdup_printf("pam_start() failed: %s",
 				      pam_strerror(pamh, status));
 	} else {
+#ifdef PAM_RHOST
+		const char *host = net_ip2addr(&request->remote_ip);
+		if (host != NULL)
+			pam_set_item(pamh, PAM_RHOST, host);
+#endif
+
 		status = pam_auth(pamh, &str);
 		if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) {
 			/* FIXME: check for PASSDB_RESULT_UNKNOWN_USER
@@ -360,7 +367,7 @@
 
 	if (pid == 0) {
 		(void)close(fd[0]);
-		pam_verify_plain_child(service, request->user, password, fd[1]);
+		pam_verify_plain_child(request, service, password, fd[1]);
 		_exit(0);
 	}
 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20040615/f679fa21/attachment-0001.bin>