Re: saslauthd SASL_IPREMOTEPORT -> PAM_RHOST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Amir 'CG' Caspi <cepheid@xxxxxxxxxx>:


On Mon, 23 May 2011 at 02:59:58 -0700, Amir 'CG' Caspi wrote:
As for the remote user, I can see that saslauthd does receive that info, but it doesn't log it via PAM, as you can see. I believe this is because the remote user is not being passed into the correct field of the pamh struct, within auth_pam. It's being passed into the login field, but it should also be passed into the user field, I believe. I'm not a PAM expert, so I can't be sure, but I think this is the case.
After looking at auth_pam() some more and after reading a bit of PAM documentation, I think that in addition to PAM_RHOST, one also needs to set PAM_USER. This is done with pam_set_item, just as for PAM_RHOST. 

I *THINK* a simple call such as:

pam_set_item(pamh, PAM_USER, login)
would work to get PAM to recognize the username and log it appropriately. This would be done in the same place as setting PAM_RHOST.
Could you try this on your patched copy to see if it works? If so, the patch can be updated to include this line, and I think that would fix pretty much everything. =)
My understanding is that it is up to the calling application to log the data like CyrusMail should be logging auths, if you enable the debug flag for the pam modules, or saslauthd, you will get additional debug information which includes the information you are looking for. However, it is more aimed at developers then it is end users.
Off the top of my head, PAM_USER is passed into the initial structure via an enviromental variable, pam_rhost is actually is actually set via a callback to an existing pointer.
If you use PAM_SET_ITEM on PAM_USER it is actually only a temporary change, and won't get passed back to the calling application. And I don't recall off the top of my head whether this gets passed through the rest of the pam stack or not.
IE you auth cyrusmail, as user ME, then user ME, get passed to pam, if you first module Pam_changeME.so changes the PAM_USER variable to the user YOU for the rest of the auth session, then you will see in your cyrusmail logs user=ME auth failed. in your pam debug logs, you will see user=YOU failed for the pam_changeme.so debug session. 

Kind of make sense?
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux