Re: [exim] Set rhost for PAM authentication

Top Page
Delete this message
Reply to this message
Author: Yves Goergen
Date:  
To: Jeremy Harris, exim-users
Subject: Re: [exim] Set rhost for PAM authentication
To be honest, I have no idea how PAM communicates internally. This code
is largely based on another module that comes with Linux and does
something similar, pam_userdb.c.

I see "exim" as the service name. I don't know what the remote_user
field is and don't regard it. Dovecot sends the IP address string as
remote host so I'd like to see that here as well. This allows me to
enable rate limiting per host (not just per user as it is now for Exim).

From what I've read, I believed that these fields are more or less
defined in PAM, just like the return codes and stuff. Let's see...
Here's the code of dovecot:

https://github.com/dovecot/core/blob/master/src/auth/passdb-pam.c

It contains the PAM_RHOST constant. Looks like PAM knows what that field
means. And there is a pam_set_item function that looks like it should be
called by the application. What happens if I just add more values to the
Exim pam function?

This looks like the corresponding Exim code:

https://github.com/Exim/exim/blob/master/src/src/auths/call_pam.c

I can't see the use of pam_set_item here at all. But again, I don't know
how a PAM client must be implemented, I'm lucky that my PAM module is
working. This entire API seems pretty messy. But since there's no other
standard, that's what we'll have to use.

-Yves


-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@???>
Gesendet: Donnerstag, 7. Januar 2021, 21:58 MEZ
Betreff: [exim] Set rhost for PAM authentication

On 07/01/2021 20:09, Yves Goergen via Exim-users wrote:
I'm using the PAM authentication in Exim together with a custom PAM
module that validates the password. I noticed that the rhost (remote
host) field is not set for PAM requests from Exim (Dovecot sets this
field though and sshd also seems to do so).

My Exim config looks like this:

begin authenticators

fixed_plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    # Check password in $auth3 for user in $auth2
    server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
    server_set_id = $auth2

login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = Username:: : Password::
    # Check password in $auth2 for user in $auth1
    server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
    server_set_id = $auth1

Is there anything I can do to also pass the remote IP address to the PAM
module? The Exim manual suggests passing more parameters to the PAM
function, but it's unclear what to do here.

You'll need to add more items to that colon-separated list.
The first item on the list is special, and given to pam as the user.
Any further ones are just handed to pam, in sequence, when pam ask
for another item - Exim does not know what their meanings are when
handing them over.

I assume that the sequence will match your pam module code sequence
of pam_get_item() calls.


 pam {<string1>:<string2>:...}
My PAM module includes this code to retrieve the requested data:

// Get the service
retval = pam_get_item(pamh, PAM_SERVICE, (void*)&service);
if (retval != PAM_SUCCESS || service == NULL)
{
    pam_syslog(pamh, LOG_ERR, "cannot get service");
    return PAM_SERVICE_ERR;
}

Presumbly you get "exim" for this; we give that as a hardcoded
string to pam_start()


// Get the remote user
retval = pam_get_item(pamh, PAM_RUSER, (void*)&ruser);
if (retval != PAM_SUCCESS || ruser == NULL)
{
    ruser = "";
}

I have no idea what this would need to be. Perhaps a duplicate
of the "user" ? If so, you'll need to duplicate that first
"special" list element.


// Get the remote host
retval = pam_get_item(pamh, PAM_RHOST, (void*)&rhost);
if (retval != PAM_SUCCESS || rhost == NULL)
{
    rhost = "";
}

What are you expecting here? A string with an rDNS name? A string
with representation of an IP address? I hope not some binary blob...

The first two are available as exim variables. Just add to the list.


// Get the username
retval = pam_get_user(pamh, &username, NULL);
if (retval != PAM_SUCCESS)
{
    pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s",
pam_strerror(pamh, retval));
    return PAM_SERVICE_ERR;
}

Presumably this gets the "special" first item from our list.


// Converse to obtain a password
retval = obtain_authtok(pamh);
if (retval != PAM_SUCCESS)
{
    pam_syslog(pamh, LOG_ERR, "cannot obtain password from user");
    return retval;
}

And presumably this gets the "next" item off the list, after the
ones above.