Hi,

another example (and the simplest case) is:

support to set remote client data into PAM environment, in turn
correctly allow PAM logging the client address to syslog

Paolo Cerrito

Il 27/06/19 11:07, Antonio Quartulli ha scritto:
> Hi,
>
> On 27/06/2019 10:26, Paolo Cerrito wrote:
>> From: paolo <paolo.cerr...@uniroma2.it>
>>
>> Signed-off-by: Paolo Cerrito <paolo.cerr...@uniroma2.it>
> Why do we need this change?
> What benefit does it give us?
> How can it be used?
>
> IMHO it would be nice to add these pieces of information to the commit
> message (right now it feels .. "empty" ;-) )
>
> Regards,
>
>> ---
>>  src/plugins/auth-pam/auth-pam.c | 19 ++++++++++++++++---
>>  1 file changed, 16 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/plugins/auth-pam/auth-pam.c 
>> b/src/plugins/auth-pam/auth-pam.c
>> index 88b53204..9d8dfb95 100644
>> --- a/src/plugins/auth-pam/auth-pam.c
>> +++ b/src/plugins/auth-pam/auth-pam.c
>> @@ -115,6 +115,7 @@ struct user_pass {
>>      char password[128];
>>      char common_name[128];
>>      char response[128];
>> +    char remote[128];
>>  
>>      const struct name_value_list *name_value_list;
>>  };
>> @@ -517,13 +518,15 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, 
>> const int type, const cha
>>          const char *username = get_env("username", envp);
>>          const char *password = get_env("password", envp);
>>          const char *common_name = get_env("common_name", envp) ? 
>> get_env("common_name", envp) : "";
>> +        const char *remote = get_env("untrusted_ip", envp) ? 
>> get_env("untrusted_ip", envp) : get_env("untrusted_ip6", envp);
>>  
>>          if (username && strlen(username) > 0 && password)
>>          {
>>              if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1
>>                  || send_string(context->foreground_fd, username) == -1
>>                  || send_string(context->foreground_fd, password) == -1
>> -                || send_string(context->foreground_fd, common_name) == -1)
>> +                || send_string(context->foreground_fd, common_name) == -1
>> +                || send_string(context->foreground_fd, remote) == -1)
>>              {
>>                  fprintf(stderr, "AUTH-PAM: Error sending auth info to 
>> background process\n");
>>              }
>> @@ -750,8 +753,16 @@ pam_auth(const char *service, const struct user_pass 
>> *up)
>>      status = pam_start(service, name_value_list_provided ? NULL : 
>> up->username, &conv, &pamh);
>>      if (status == PAM_SUCCESS)
>>      {
>> +        /* Set PAM_RHOST environment variable */
>> +        if (*(up->remote))
>> +        {
>> +            status = pam_set_item(pamh, PAM_RHOST, up->remote);
>> +        }
>>          /* Call PAM to verify username/password */
>> -        status = pam_authenticate(pamh, 0);
>> +        if (status == PAM_SUCCESS)
>> +        {
>> +            status = pam_authenticate(pamh, 0);
>> +        }
>>          if (status == PAM_SUCCESS)
>>          {
>>              status = pam_acct_mgmt(pamh, 0);
>> @@ -839,7 +850,8 @@ pam_server(int fd, const char *service, int verb, const 
>> struct name_value_list *
>>              case COMMAND_VERIFY:
>>                  if (recv_string(fd, up.username, sizeof(up.username)) == -1
>>                      || recv_string(fd, up.password, sizeof(up.password)) == 
>> -1
>> -                    || recv_string(fd, up.common_name, 
>> sizeof(up.common_name)) == -1)
>> +                    || recv_string(fd, up.common_name, 
>> sizeof(up.common_name)) == -1
>> +                    || recv_string(fd, up.remote, sizeof(up.remote)) == -1)
>>                  {
>>                      fprintf(stderr, "AUTH-PAM: BACKGROUND: read error on 
>> command channel: code=%d, exiting\n",
>>                              command);
>> @@ -853,6 +865,7 @@ pam_server(int fd, const char *service, int verb, const 
>> struct name_value_list *
>>                              up.username, up.password);
>>  #else
>>                      fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", 
>> up.username);
>> +                    fprintf(stderr, "AUTH-PAM: BACKGROUND: REMOTE: %s\n", 
>> up.remote);
>>  #endif
>>                  }
>>  
>>

-- 
-----***********-----
Paolo Cerrito
-----***********-----



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to