I was browsing the OpenSSH sources (which are very readable, thankyou
very much) and noticed that PAM was only being told what host the user
is logging in from for account processing - not for password
processing. As I can see no reason not to put this in start_pam this is
exactly what I have done - and attached a patch to this effect.
This allows PAM to fill in rhost= in its audit messages (pam_unix), and
may in fact be used in some module, somewhere.
(The patch is against RedHat's patched 2.3.0p1, and looks very slightly
odd because the last 2 lines it adds are the the same as the 2 lines
before the patch.)
--
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
--- auth-pam.c.orig Sat Feb 10 13:01:35 2001
+++ auth-pam.c Sat Feb 10 14:14:53 2001
@@ -191,14 +191,6 @@
{
int pam_retval;
- debug("PAM setting rhost to \"%.200s\"",
get_canonical_hostname());
- pam_retval = pam_set_item(pamh, PAM_RHOST,
- get_canonical_hostname());
- if (pam_retval != PAM_SUCCESS) {
- fatal("PAM set rhost failed[%d]: %.200s",
- pam_retval, PAM_STRERROR(pamh, pam_retval));
- }
-
if (remote_user != NULL) {
debug("PAM setting ruser to \"%.200s\"", remote_user);
pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user);
@@ -310,6 +302,14 @@
if (pam_retval != PAM_SUCCESS) {
fatal("PAM initialisation failed[%d]: %.200s",
+ pam_retval, PAM_STRERROR(pamh, pam_retval));
+ }
+
+ debug("PAM setting rhost to \"%.200s\"",
get_canonical_hostname());
+ pam_retval = pam_set_item(pamh, PAM_RHOST,
+ get_canonical_hostname());
+ if (pam_retval != PAM_SUCCESS) {
+ fatal("PAM set rhost failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}