Okay, I added that variable as third parameter to the pam function in
Exim and modified my PAM module so that it tries a second conversation
to fetch that rhost value. It's a special case for Exim only. Now the
logs are complete and the attacker's IP address is available to log
consumers like firewall tools.
It seems like Exim wants to provide two conversation answers but the PAM
module only required one. So whatever is provided as the first
conversation answer seems to be taken as the user name implicitly by
PAM. I cannot explain the observed behaviour otherwise.
Besides these conversation answers, there must also exist special
well-known items, like the rhost. Dovecot sets them like this, Exim
could very likely just do the same, but simply doesn't. Again, someone
with more experience in PAM would be a better advisor here. These are
just my limited observations.
-Yves
-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <[email protected]>
Gesendet: Freitag, 8. Januar 2021, 00:15 MEZ
Betreff: [exim] Set rhost for PAM authentication
On 07/01/2021 22:50, Yves Goergen via Exim-users wrote:
To be honest, I have no idea how PAM communicates internally. This code
is largely based on another module that comes with Linux and does
something similar, pam_userdb.c.
I see "exim" as the service name. I don't know what the remote_user
field is and don't regard it. Dovecot sends the IP address string as
remote host
So, you'll want to use the exim variable $sender_host_address for
an element in your list of fields.
From what I've read, I believed that these fields are more or less
defined in PAM, just like the return codes and stuff. Let's see...
Here's the code of dovecot:
https://github.com/dovecot/core/blob/master/src/auth/passdb-pam.c
It contains the PAM_RHOST constant. Looks like PAM knows what that field
means. And there is a pam_set_item function that looks like it should be
called by the application. What happens if I just add more values to the
Exim pam function?
This looks like the corresponding Exim code:
https://github.com/Exim/exim/blob/master/src/src/auths/call_pam.c
The pam library calls back to exim, calling our pam_converse() routine.
Exim supplies as many fields as it asks for, each time it is called -
without knowing what they might be used for. Exim gets fields to
supply by walking the list that your config-file use of the "pam"
expansion condition supplied.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
