Re: [Openvpn-devel] [PATCH] [PATCH v2] Insert client connection data into PAM environment

Fri, 25 Oct 2019 07:45:03 -0700 

On Fri, Oct 25, 2019 at 7:08 AM <wardrago...@gmail.com> wrote:
>
> From: Paolo Cerrito <wardrago...@gmail.com>
>
> Without this patch, the PAM environment lacks any information about the 
> remote client address.
>
> syslog output for auth and authpriv facilities changes
> from:
>    Oct 25 11:52:02 openvpndev openvpn: pam_unix(openvpn:auth): authentication 
> failure;
>                    logname=root uid=0 euid=0 tty= ruser= rhost=
>    Oct 25 11:52:33 openvpndev openvpn: pam_unix(openvpn:auth): authentication 
> failure;
>                    logname=root uid=0 euid=0 tty= ruser= rhost=  user=****
> to:
>    Oct 25 10:56:11 openvpndev openvpn: pam_unix(openvpn:auth): authentication 
> failure;
>                    logname=root uid=0 euid=0 tty= ruser= rhost=198.51.100.10
>    Oct 25 10:57:02 openvpndev openvpn: pam_unix(openvpn:auth): authentication 
> failure;
>                    logname=root uid=0 euid=0 tty= ruser= rhost=198.51.100.10 
> user=****
>
> Furthermore, the presence of the remote client address in PAM
> environment, enables usage of pam modules like pam_recent
> [https://github.com/az143/pam_recent].
>
> Signed-off-by: Paolo Cerrito <wardrago...@gmail.com>

So, apart from the commit message, what are the changes in v2?

I don't see that my comment about ensuring remote read from env is not NULL
addressed, nor any response to a number of other points raised by David.

> ---
>  src/plugins/auth-pam/auth-pam.c | 39 ++++++++++++++++++++++++++++-----
>  1 file changed, 33 insertions(+), 6 deletions(-)
>
> diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
> index 88b53204..f7b39e36 100644
> --- a/src/plugins/auth-pam/auth-pam.c
> +++ b/src/plugins/auth-pam/auth-pam.c
> @@ -115,6 +115,7 @@ struct user_pass {
>      char password[128];
>      char common_name[128];
>      char response[128];
> +    char remote[40];

Textual ipv6 address buffer is usually defined to be at least 46 bytes
including NUL (not 40) to handle all cases.
(cf. INET6_ADDRSTRLEN = 46 in <netinet/in.h>)


Selva


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to