From 79a1106a3743ea5b2a8ec20fc2e54de01b1e8ee7 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Tue, 12 Apr 2022 12:37:30 +0100 Subject: [PATCH] Add PAM_RHOST support Supplies the IP address that an authentication event is received from as the PAM parameter PAM_RHOST for PAM-capable systems. --- sesman/auth.h | 4 +++- sesman/scp_process.c | 6 +++--- sesman/verify_user.c | 3 ++- sesman/verify_user_bsd.c | 3 ++- sesman/verify_user_kerberos.c | 5 +++-- sesman/verify_user_pam.c | 16 ++++++++++++++-- sesman/verify_user_pam_userpass.c | 5 +++-- 7 files changed, 30 insertions(+), 12 deletions(-) diff --git a/sesman/auth.h b/sesman/auth.h index 56f780902..3ae0ea3c7 100644 --- a/sesman/auth.h +++ b/sesman/auth.h @@ -32,11 +32,13 @@ * @brief Validates user's password * @param user user's login name * @param pass user's password + * @param client_ip IP address of connecting client (or ""/NULL if not known) * @return non-zero handle on success, 0 on failure * */ long -auth_userpass(const char *user, const char *pass, int *errorcode); +auth_userpass(const char *user, const char *pass, + const char *client_ip, int *errorcode); /** * diff --git a/sesman/scp_process.c b/sesman/scp_process.c index 822da41ae..7acf61b46 100644 --- a/sesman/scp_process.c +++ b/sesman/scp_process.c @@ -75,7 +75,7 @@ process_gateway_request(struct trans *trans) LOG(LOG_LEVEL_INFO, "Received authentication request for user: %s", username); - data = auth_userpass(username, password, &errorcode); + data = auth_userpass(username, password, ip_addr, &errorcode); if (data) { if (1 == access_login_allowed(username)) @@ -133,7 +133,7 @@ process_create_session_request(struct trans *trans) SCP_SESSION_TYPE_TO_STR(sp.type), sp.username); - data = auth_userpass(sp.username, password, &errorcode); + data = auth_userpass(sp.username, password, sp.ip_addr, &errorcode); if (data) { s_item = session_get_bydata(&sp); @@ -219,7 +219,7 @@ process_list_sessions_request(struct trans *trans) LOG(LOG_LEVEL_INFO, "Received request to list sessions for user %s", username); - data = auth_userpass(username, password, &errorcode); + data = auth_userpass(username, password, NULL, &errorcode); if (data) { struct scp_session_info *info = NULL; diff --git a/sesman/verify_user.c b/sesman/verify_user.c index 2c72d38e4..0e48a4893 100644 --- a/sesman/verify_user.c +++ b/sesman/verify_user.c @@ -51,7 +51,8 @@ auth_account_disabled(struct spwd *stp); /******************************************************************************/ /* returns boolean */ long -auth_userpass(const char *user, const char *pass, int *errorcode) +auth_userpass(const char *user, const char *pass, + const char *client_ip, int *errorcode) { const char *encr; const char *epass; diff --git a/sesman/verify_user_bsd.c b/sesman/verify_user_bsd.c index 064896530..8a3451193 100644 --- a/sesman/verify_user_bsd.c +++ b/sesman/verify_user_bsd.c @@ -46,7 +46,8 @@ /******************************************************************************/ /* returns boolean */ long -auth_userpass(const char *user, const char *pass, int *errorcode) +auth_userpass(const char *user, const char *pass, + const char *client_ip, int *errorcode) { int ret = auth_userokay(user, NULL, "auth-xrdp", pass); return ret; diff --git a/sesman/verify_user_kerberos.c b/sesman/verify_user_kerberos.c index 6ddc6a807..de7fbd89d 100644 --- a/sesman/verify_user_kerberos.c +++ b/sesman/verify_user_kerberos.c @@ -400,8 +400,9 @@ k5_kinit(struct k_opts *opts, struct k5_data *k5, struct user_info *u_info) /******************************************************************************/ /* returns boolean */ -int -auth_userpass(const char *user, const char *pass, int *errorcode) +long +auth_userpass(const char *user, const char *pass, + const char *client_ip, int *errorcode) { struct k_opts opts; struct k5_data k5; diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c index 0d384eaf9..47e04e2a2 100644 --- a/sesman/verify_user_pam.c +++ b/sesman/verify_user_pam.c @@ -32,6 +32,7 @@ #include "os_calls.h" #include "log.h" #include "string_calls.h" +#include "auth.h" #include #include @@ -212,7 +213,8 @@ get_service_name(char *service_name) Stores the detailed error code in the errorcode variable*/ long -auth_userpass(const char *user, const char *pass, int *errorcode) +auth_userpass(const char *user, const char *pass, + const char *client_ip, int *errorcode) { int error; struct t_auth_info *auth_info; @@ -239,10 +241,20 @@ auth_userpass(const char *user, const char *pass, int *errorcode) return 0; } + if (client_ip != NULL && client_ip[0] != '\0') + { + error = pam_set_item(auth_info->ph, PAM_RHOST, client_ip); + if (error != PAM_SUCCESS) + { + LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_RHOST) failed: %s", + pam_strerror(auth_info->ph, error)); + } + } + error = pam_set_item(auth_info->ph, PAM_TTY, service_name); if (error != PAM_SUCCESS) { - LOG(LOG_LEVEL_ERROR, "pam_set_item failed: %s", + LOG(LOG_LEVEL_ERROR, "pam_set_item(PAM_TTY) failed: %s", pam_strerror(auth_info->ph, error)); } diff --git a/sesman/verify_user_pam_userpass.c b/sesman/verify_user_pam_userpass.c index ac5981f43..a2db011d3 100644 --- a/sesman/verify_user_pam_userpass.c +++ b/sesman/verify_user_pam_userpass.c @@ -38,8 +38,9 @@ /******************************************************************************/ /* returns boolean */ -int -auth_userpass(const char *user, const char *pass, int *errorcode) +long +auth_userpass(const char *user, const char *pass, + const char *client_ip, int *errorcode) { pam_handle_t *pamh; pam_userpass_t userpass;