Re: [exim] Set rhost for PAM authentication

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumpte: Re: [exim] Set rhost for PAM authentication
On 07/01/2021 20:09, Yves Goergen via Exim-users wrote:
> I'm using the PAM authentication in Exim together with a custom PAM module that validates the password. I noticed that the rhost (remote host) field is not set for PAM requests from Exim (Dovecot sets this field though and sshd also seems to do so).
>
> My Exim config looks like this:
>
>> begin authenticators
>>
>> fixed_plain:
>>     driver = plaintext
>>     public_name = PLAIN
>>     server_prompts = :
>>     # Check password in $auth3 for user in $auth2
>>     server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
>>     server_set_id = $auth2
>>
>> login:
>>     driver = plaintext
>>     public_name = LOGIN
>>     server_prompts = Username:: : Password::
>>     # Check password in $auth2 for user in $auth1
>>     server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
>>     server_set_id = $auth1
>
> Is there anything I can do to also pass the remote IP address to the PAM module? The Exim manual suggests passing more parameters to the PAM function, but it's unclear what to do here.


You'll need to add more items to that colon-separated list.
The first item on the list is special, and given to pam as the user.
Any further ones are just handed to pam, in sequence, when pam ask
for another item - Exim does not know what their meanings are when
handing them over.

I assume that the sequence will match your pam module code sequence
of pam_get_item() calls.

>
>>  pam {<string1>:<string2>:...}
> My PAM module includes this code to retrieve the requested data:
>
>> // Get the service
>> retval = pam_get_item(pamh, PAM_SERVICE, (void*)&service);
>> if (retval != PAM_SUCCESS || service == NULL)
>> {
>>     pam_syslog(pamh, LOG_ERR, "cannot get service");
>>     return PAM_SERVICE_ERR;
>> }


Presumbly you get "exim" for this; we give that as a hardcoded
string to pam_start()

>>
>> // Get the remote user
>> retval = pam_get_item(pamh, PAM_RUSER, (void*)&ruser);
>> if (retval != PAM_SUCCESS || ruser == NULL)
>> {
>>     ruser = "";
>> }


I have no idea what this would need to be. Perhaps a duplicate
of the "user" ? If so, you'll need to duplicate that first
"special" list element.

>>
>> // Get the remote host
>> retval = pam_get_item(pamh, PAM_RHOST, (void*)&rhost);
>> if (retval != PAM_SUCCESS || rhost == NULL)
>> {
>>     rhost = "";
>> }


What are you expecting here? A string with an rDNS name? A string
with representation of an IP address? I hope not some binary blob...

The first two are available as exim variables. Just add to the list.

>>
>> // Get the username
>> retval = pam_get_user(pamh, &username, NULL);
>> if (retval != PAM_SUCCESS)
>> {
>>     pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", pam_strerror(pamh, retval));
>>     return PAM_SERVICE_ERR;
>> }


Presumably this gets the "special" first item from our list.

>>
>> // Converse to obtain a password
>> retval = obtain_authtok(pamh);
>> if (retval != PAM_SUCCESS)
>> {
>>     pam_syslog(pamh, LOG_ERR, "cannot obtain password from user");
>>     return retval;
>> }


And presumably this gets the "next" item off the list, after the
ones above.


--
Cheers,
Jeremy