From: paolo <paolo.cerr...@uniroma2.it>
---
src/plugins/auth-pam/auth-pam.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 70339445..f91a2f02 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -49,7 +49,7 @@
#include <syslog.h>
#include <limits.h>
#include "utils.h"
-
+#include <arpa/inet.h>
#include <openvpn-plugin.h>
#define DEBUG(verb) ((verb) >= 4)
@@ -121,6 +121,7 @@ struct user_pass {
char password[128];
char common_name[128];
char response[128];
+ char remote[INET6_ADDRSTRLEN];
const struct name_value_list *name_value_list;
};
@@ -529,6 +530,11 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
const int type, const cha
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
const char *common_name = get_env("common_name", envp) ?
get_env("common_name", envp) : "";
+ const char *remote = get_env("untrusted_ip6", envp);
+
+ if (remote == NULL){
+ remote = get_env("untrusted_ip", envp); //if Null, try to take
ipv4 if not set ipv6
+ }
/* should we do deferred auth?
* yes, if there is "auth_control_file" and "deferred_auth_pam" env
@@ -555,6 +561,7 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
const int type, const cha
|| send_string(context->foreground_fd, password) == -1
|| send_string(context->foreground_fd, common_name) == -1
|| send_string(context->foreground_fd, auth_control_file) ==
-1)
+ || send_string(context->foreground_fd, remote) == -1)
{
plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth
info to background process");
}
@@ -789,8 +796,16 @@ pam_auth(const char *service, const struct user_pass *up)
status = pam_start(service, name_value_list_provided ? NULL :
up->username, &conv, &pamh);
if (status == PAM_SUCCESS)
{
+ /* Set PAM_RHOST environment variable */
+ if (*(up->remote))
+ {
+ status = pam_set_item(pamh, PAM_RHOST, up->remote);
+ }
/* Call PAM to verify username/password */
- status = pam_authenticate(pamh, 0);
+ if (status == PAM_SUCCESS)
+ {
+ status = pam_authenticate(pamh, 0);
+ }
if (status == PAM_SUCCESS)
{
status = pam_acct_mgmt(pamh, 0);
@@ -957,6 +972,7 @@ pam_server(int fd, const char *service, int verb, const
struct name_value_list *
|| recv_string(fd, up.password, sizeof(up.password)) == -1
|| recv_string(fd, up.common_name, sizeof(up.common_name))
== -1
|| recv_string(fd, ac_file_name, sizeof(ac_file_name)) ==
-1)
+ || recv_string(fd, up.remote, sizeof(up.remote)) == -1)
{
plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read
error on command channel: code=%d, exiting",
command);
@@ -970,6 +986,7 @@ pam_server(int fd, const char *service, int verb, const
struct name_value_list *
up.username, up.password);
#else
plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER: %s",
up.username);
+ plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: REMOTE: %s",
up.remote);
#endif
}
--
2.36.1
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
