[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi all,

Ah, I see. That makes sense. I see that PAM does only log the user info if it's a known user... I checked my SSH logs, for example, and you're right - the user field is populated only for existing users.
	So, I can see why to avoid setting PAM_USER.

Of course, the rhost really is the most important piece anyway, since that's what I need for firewalling. I can live without the bad username, since apparently it's not logged anyway even with other services.

I'll try to compile a local copy of cyrus-sasl to see if this patch works for me, though I unfortunately don't have a test server (only a production server) so I'm not sure when I can find some downtime to test this.

	Thanks for the help so far, Lorenzo!  (And Sean!)

						--- Amir

At 8:33 PM +0200 05/23/2011, Lorenzo M. Catucci wrote:
On 05/23/2011 08:10 PM, omalleys@xxxxxxx wrote:

 My understanding is that it is up to the calling application to log
 the data like CyrusMail should be logging auths,

VERY, VERY TRUE!!! Sorry for AOL-ing!

 If you use PAM_SET_ITEM on PAM_USER it is actually only a temporary
 change, and won't get passed back to the calling application. And I
 don't recall off the top of my head whether this gets passed through
 the rest of the pam stack or not.

Really, PAM_USER should be treated as a "read only" item by the
application, as I tried to express in my previous mail;
on the other hand, RUSER should be set from the application only when
really defined; in the case of an unknown
requestor, one can as well set RUSER to "anonymous" or "root", but not
to the proposed login.

Thank you very much, yours


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux