Hi all,
Just wondering if anyone might have any ideas for this one. I've
been reading through the code but haven't yet figured out how to get
auth_pam() access to the rhost IP.
Hopefully someone has either implemented this or has ideas...
Thanks!
--- Amir
Hi Amir,
I think the old patch your referenced attempted to shim PAM into checkpw.c
within the glue layer, except that PAM is contained entirely within
saslauthd, which runs in a separate process.
The saslauthd 'protocol' gets passed the following information via a unix
socket:
userid
password
servicename
realm
And would never have the IP address to pass to PAM. One approach might be
to add an additional item to the protocol that passes the client IP
on to PAM.
cyrus imap logs failed authentications with the client IP address to
syslog, but doesn't include the username, probably because the username
can't always be determined until a successful authentication is negotiated
(such as with GSSAPI).
I think this is something needs to be fixed in a logical, and supportable
way.
Is your goal to see the IP address of a failed login attempt within syslog?
Or is your ultimate goal to make use of the ip address within a pam module
to make authentication decisions?
At 4:24 AM -0800 03/26/2011, Amir 'CG' Caspi wrote:
Hi all,
This topic has come up before (most recently last summer - http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html),
but no resolution was ever reached and this issue has recently
become rather important for me as I've been working to secure my
server.
I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the default
CentOS/RHEL release version).
Using the current codebase, when saslauthd experiences an auth
failure, it does not log the remote host IP or requested login
name. This is particularly obvious when using PAM, wherein the
failure gets logged to /var/log/secure as:
Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
This is a problem because these log entries are essentially useless
for automated firewalling, e.g. via fail2ban or BFD.
In looking through the code, I see that the root cause of the
issue is that auth_pam() in saslauthd/auth_pam.c does not include
any argument for the rhost, and the requested login info is also
(apparently) not passed into the proper field of the pamh
structure; thus, neither rhost nor user get recorded by PAM.
In principle, it should be possible to fill these fields in using
(for example) sasl_getprop and pam_set_item, but I am not
sufficiently well-versed in the codebase to write such a patch.
(In particular, no sasl_conn_t variable is even present in
auth_pam(), which sasl_getprop requires.)
A patch was once written for a (very old!) version of cyrus-sasl,
v1.5.24 (see
http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch),
but this appears to have never become a part of the official
codebase, and I haven't yet figured out how to forward-port this
patch into the current sasl code.
Has anyone here written or know of a patch for sasl to get
saslauthd (particularly using auth_pam, but also for any other auth
method) to properly record both the rhost and user fields in the
error logs? If not, would someone be willing to help craft such a
patch?
I think this would be something very important to get into the
codebase, because the PAM errors currently being recorded are of
very limited use, particularly for automated firewalls like
fail2ban or BFD.
Any help would be greatly appreciated - I would very much like to
finally be able to use fail2ban (or BFD) to kill SMTP AUTH hack
attempts.
--
Dan White
