From 923dc05d68031a217684aba87acdadc7f711c88a Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>

Date: Thu, 10 Mar 2011 15:16:04 +0100

Subject: [PATCH] Set PAM_TTY and PAM_RHOST on PAM authentication

When loging to server, PAM can make decision on client network address, so set

it appropriately. Also some modules require non-empy console name, thus set

PAM_TTY to cvs PAM service name (`cvs').

PAM failure is reported back to client.

This code is back-ported from from upstream developemt tree (r1.489).

`peer' and `len' types fixed to cover any address family.

---

 src/server.c |   47 ++++++++++++++++++++++++++++++++++++++++++++++-

 1 files changed, 46 insertions(+), 1 deletions(-)

diff --git a/src/server.c b/src/server.c

index 0505ab9..bc6f0d0 100644

--- a/src/server.c

+++ b/src/server.c

@@ -5799,18 +5799,61 @@ error 0 %s: no such user\n", username);

 #if PAM_SUPPORT

         pam_handle_t *pamh = NULL;

         struct pam_conv conv;

+        char *pam_stage = "start";

+        struct sockaddr_storage peer;

+        socklen_t len;

+        char host[NI_MAXHOST];

         int retval;

+        /* get the client's ip address */

+        len = sizeof (peer);

+        if (getpeername (STDIN_FILENO, (struct sockaddr *)&peer, &len) < 0)

+        {

+            printf ("E Fatal error, aborting.\n\

+error %s getpeername failed\n", strerror (errno));

+            exit (EXIT_FAILURE);

+        }

+

+        /* convert the ip address to text */

+        if (getnameinfo((struct sockaddr *)&peer, len, host, NI_MAXHOST,

+                    NULL, 0, NI_NUMERICHOST) < 0)

+        {

+            printf ("E Fatal error, aborting.\n\

+error %s getnameinfo failed\n", strerror (errno));

+            exit (EXIT_FAILURE);

+        }

+

         conv.conv = silent_conv;

         conv.appdata_ptr = password;

-        retval = pam_start("cvs", username, &conv, &pamh);

+#define PAM_SERVICE_NAME "cvs"

+        retval = pam_start(PAM_SERVICE_NAME, username, &conv, &pamh);

+

+        /* sets a dummy tty name which pam modules can check for */

+        if (retval == PAM_SUCCESS)

+        {

+            pam_stage = "set dummy tty";

+            retval = pam_set_item (pamh, PAM_TTY, PAM_SERVICE_NAME);

+        }

+#undef PAM_SERVICE_NAME

+

+        if (retval == PAM_SUCCESS)

+        {

+            pam_stage = "set remote host ip";

+            retval = pam_set_item (pamh, PAM_RHOST, host);

+        }

         if (retval == PAM_SUCCESS)

+        {

+            pam_stage = "authenticate";

             retval = pam_authenticate(pamh, 0); /* is user really user? */

+        }

         if (retval == PAM_SUCCESS)

+        {

+            pam_stage = "account";

             retval = pam_acct_mgmt(pamh, 0);    /* permitted access? */

+        }

         /* This is where we have been authorized or not. */

@@ -5818,6 +5861,8 @@ error 0 %s: no such user\n", username);

             host_user = xstrdup (username);

         } else {

             host_user = NULL;

+            printf ("E PAM %s error: %s\n",

+                 pam_stage, pam_strerror (pamh, retval));

         }

         if (pam_end(pamh,retval) != PAM_SUCCESS) {   /* close Linux-PAM */

-- 

1.7.4