[exim] Set rhost for PAM authentication

Góra strony
Delete this message
Reply to this message
Autor: Yves Goergen
Data:  
Dla: exim-users
Temat: [exim] Set rhost for PAM authentication
Hello,

I'm using the PAM authentication in Exim together with a custom PAM
module that validates the password. I noticed that the rhost (remote
host) field is not set for PAM requests from Exim (Dovecot sets this
field though and sshd also seems to do so).

My Exim config looks like this:

> begin authenticators
>
> fixed_plain:
>     driver = plaintext
>     public_name = PLAIN
>     server_prompts = :
>     # Check password in $auth3 for user in $auth2
>     server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
>     server_set_id = $auth2

>
> login:
>     driver = plaintext
>     public_name = LOGIN
>     server_prompts = Username:: : Password::
>     # Check password in $auth2 for user in $auth1
>     server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
>     server_set_id = $auth1


Is there anything I can do to also pass the remote IP address to the PAM
module? The Exim manual suggests passing more parameters to the PAM
function, but it's unclear what to do here.

> pam {<string1>:<string2>:...}

My PAM module includes this code to retrieve the requested data:

> // Get the service
> retval = pam_get_item(pamh, PAM_SERVICE, (void*)&service);
> if (retval != PAM_SUCCESS || service == NULL)
> {
>     pam_syslog(pamh, LOG_ERR, "cannot get service");
>     return PAM_SERVICE_ERR;
> }

>
> // Get the remote user
> retval = pam_get_item(pamh, PAM_RUSER, (void*)&ruser);
> if (retval != PAM_SUCCESS || ruser == NULL)
> {
>     ruser = "";
> }

>
> // Get the remote host
> retval = pam_get_item(pamh, PAM_RHOST, (void*)&rhost);
> if (retval != PAM_SUCCESS || rhost == NULL)
> {
>     rhost = "";
> }

>
> // Get the username
> retval = pam_get_user(pamh, &username, NULL);
> if (retval != PAM_SUCCESS)
> {
>     pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", pam_strerror(pamh, retval));
>     return PAM_SERVICE_ERR;
> }

>
> // Converse to obtain a password
> retval = obtain_authtok(pamh);
> if (retval != PAM_SUCCESS)
> {
>     pam_syslog(pamh, LOG_ERR, "cannot obtain password from user");
>     return retval;
> }


-Yves