Add PAM_RHOST support

Supplies the IP address that an authentication event is received from as the PAM parameter PAM_RHOST for PAM-capable systems.
neutrinolabs · May 5, 2022 · 79a1106 · 79a1106
1 parent 66213af
commit 79a1106
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 12 deletions.
diff --git a/sesman/auth.h b/sesman/auth.h
@@ -32,11 +32,13 @@
  * @brief Validates user's password
  * @param user user's login name
  * @param pass user's password
+ * @param client_ip IP address of connecting client (or ""/NULL if not known)
  * @return non-zero handle on success, 0 on failure
  *
  */
 long
-auth_userpass(const char *user, const char *pass, int *errorcode);
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode);
 
 /**
  *

diff --git a/sesman/scp_process.c b/sesman/scp_process.c
@@ -75,7 +75,7 @@ process_gateway_request(struct trans *trans)
         LOG(LOG_LEVEL_INFO, "Received authentication request for user: %s",
             username);
 
-        data = auth_userpass(username, password, &errorcode);
+        data = auth_userpass(username, password, ip_addr, &errorcode);
         if (data)
         {
             if (1 == access_login_allowed(username))
@@ -133,7 +133,7 @@ process_create_session_request(struct trans *trans)
             SCP_SESSION_TYPE_TO_STR(sp.type),
             sp.username);
 
-        data = auth_userpass(sp.username, password, &errorcode);
+        data = auth_userpass(sp.username, password, sp.ip_addr, &errorcode);
         if (data)
         {
             s_item = session_get_bydata(&sp);
@@ -219,7 +219,7 @@ process_list_sessions_request(struct trans *trans)
         LOG(LOG_LEVEL_INFO,
             "Received request to list sessions for user %s", username);
 
-        data = auth_userpass(username, password, &errorcode);
+        data = auth_userpass(username, password, NULL, &errorcode);
         if (data)
         {
             struct scp_session_info *info = NULL;

diff --git a/sesman/verify_user.c b/sesman/verify_user.c
@@ -51,7 +51,8 @@ auth_account_disabled(struct spwd *stp);
 /******************************************************************************/
 /* returns boolean */
 long
-auth_userpass(const char *user, const char *pass, int *errorcode)
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
     const char *encr;
     const char *epass;

diff --git a/sesman/verify_user_bsd.c b/sesman/verify_user_bsd.c
@@ -46,7 +46,8 @@
 /******************************************************************************/
 /* returns boolean */
 long
-auth_userpass(const char *user, const char *pass, int *errorcode)
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
     int ret = auth_userokay(user, NULL, "auth-xrdp", pass);
     return ret;

diff --git a/sesman/verify_user_kerberos.c b/sesman/verify_user_kerberos.c
@@ -400,8 +400,9 @@ k5_kinit(struct k_opts *opts, struct k5_data *k5, struct user_info *u_info)
 
 /******************************************************************************/
 /* returns boolean */
-int
-auth_userpass(const char *user, const char *pass, int *errorcode)
+long
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
     struct k_opts opts;
     struct k5_data k5;

diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c
@@ -32,6 +32,7 @@
 #include "os_calls.h"
 #include "log.h"
 #include "string_calls.h"
+#include "auth.h"
 
 #include <stdio.h>
 #include <security/pam_appl.h>
@@ -212,7 +213,8 @@ get_service_name(char *service_name)
  Stores the detailed error code in the errorcode variable*/
 
 long
-auth_userpass(const char *user, const char *pass, int *errorcode)
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
     int error;
     struct t_auth_info *auth_info;
@@ -239,10 +241,20 @@ auth_userpass(const char *user, const char *pass, int *errorcode)
         return 0;
     }
 
+    if (client_ip != NULL && client_ip[0] != '\0')
+    {
+        error = pam_set_item(auth_info->ph, PAM_RHOST, client_ip);
+        if (error != PAM_SUCCESS)
+        {
+            LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_RHOST) failed: %s",
+                pam_strerror(auth_info->ph, error));
+        }
+    }
+
     error = pam_set_item(auth_info->ph, PAM_TTY, service_name);
     if (error != PAM_SUCCESS)
     {
-        LOG(LOG_LEVEL_ERROR, "pam_set_item failed: %s",
+        LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_TTY) failed: %s",
             pam_strerror(auth_info->ph, error));
     }
 

diff --git a/sesman/verify_user_pam_userpass.c b/sesman/verify_user_pam_userpass.c
@@ -38,8 +38,9 @@
 
 /******************************************************************************/
 /* returns boolean */
-int
-auth_userpass(const char *user, const char *pass, int *errorcode)
+long
+auth_userpass(const char *user, const char *pass,
+              const char *client_ip, int *errorcode)
 {
     pam_handle_t *pamh;
     pam_userpass_t userpass;