Hello,
I'm using the PAM authentication in Exim together with a custom PAM
module that validates the password. I noticed that the rhost (remote
host) field is not set for PAM requests from Exim (Dovecot sets this
field though and sshd also seems to do so).
My Exim config looks like this:
begin authenticators
fixed_plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
# Check password in $auth3 for user in $auth2
server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
server_set_id = $auth2
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
# Check password in $auth2 for user in $auth1
server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
server_set_id = $auth1
Is there anything I can do to also pass the remote IP address to the PAM
module? The Exim manual suggests passing more parameters to the PAM
function, but it's unclear what to do here.
pam {<string1>:<string2>:...}
My PAM module includes this code to retrieve the requested data:
// Get the service
retval = pam_get_item(pamh, PAM_SERVICE, (void*)&service);
if (retval != PAM_SUCCESS || service == NULL)
{
pam_syslog(pamh, LOG_ERR, "cannot get service");
return PAM_SERVICE_ERR;
}
// Get the remote user
retval = pam_get_item(pamh, PAM_RUSER, (void*)&ruser);
if (retval != PAM_SUCCESS || ruser == NULL)
{
ruser = "";
}
// Get the remote host
retval = pam_get_item(pamh, PAM_RHOST, (void*)&rhost);
if (retval != PAM_SUCCESS || rhost == NULL)
{
rhost = "";
}
// Get the username
retval = pam_get_user(pamh, &username, NULL);
if (retval != PAM_SUCCESS)
{
pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s",
pam_strerror(pamh, retval));
return PAM_SERVICE_ERR;
}
// Converse to obtain a password
retval = obtain_authtok(pamh);
if (retval != PAM_SUCCESS)
{
pam_syslog(pamh, LOG_ERR, "cannot obtain password from user");
return retval;
}
-Yves
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
