Hi all,
Ah, I see. That makes sense. I see that PAM does only log
the user info if it's a known user... I checked my SSH logs, for
example, and you're right - the user field is populated only for
existing users.
So, I can see why to avoid setting PAM_USER.
Of course, the rhost really is the most important piece
anyway, since that's what I need for firewalling. I can live without
the bad username, since apparently it's not logged anyway even with
other services.
I'll try to compile a local copy of cyrus-sasl to see if this
patch works for me, though I unfortunately don't have a test server
(only a production server) so I'm not sure when I can find some
downtime to test this.
Thanks for the help so far, Lorenzo! (And Sean!)
--- Amir
At 8:33 PM +0200 05/23/2011, Lorenzo M. Catucci wrote:
On 05/23/2011 08:10 PM, omalleys@xxxxxxx wrote:
My understanding is that it is up to the calling application to log
the data like CyrusMail should be logging auths,
VERY, VERY TRUE!!! Sorry for AOL-ing!
If you use PAM_SET_ITEM on PAM_USER it is actually only a temporary
change, and won't get passed back to the calling application. And I
don't recall off the top of my head whether this gets passed through
the rest of the pam stack or not.
Really, PAM_USER should be treated as a "read only" item by the
application, as I tried to express in my previous mail;
on the other hand, RUSER should be set from the application only when
really defined; in the case of an unknown
requestor, one can as well set RUSER to "anonymous" or "root", but not
to the proposed login.
Thank you very much, yours
lorenzo
