Hi all, I've been playing around with PAM to try to restrict access to services. It seems to me there is no module available to do the following: 1) get the IP address of PAM_RHOST 2) get the IP address for a hostname listed in a file (like pam_listfile) 3) compare them and see if they are the same The reason for wanting this: the canonical name for an IP address (which is what seems to end up in PAM_RHOST) is not always the name we will have in our list (I tried this using pam_listfile and pam_rhost). Two situations where this can be an issue: 1) "Example Inc." has a gateway machine (gw.example.com, 192.168.1.88), which we want to allow to access a service. However, since the IP range 192.168.1.1-255 belongs to its ISP, the canonical hostname that is presented in PAM_RHOST will be ppp-88.cust.example.net, so "gw.example.com" will not match. This situation can be addressed by putting an entry in /etc/hosts, provided 192.168.1.88 is a static IP address. 2) "Example Inc." wants to allow access for staff who work remotely. Each staff member has a dynamic DNS name (e.g. dyndns.org, no-ip.org) but because they are using dynamic IP addresses, the solution to the first problem cannot be used (no static IP address to add to /etc/hosts). So host example.no-ip.org wants to connect to the service at example.com. PAM_RHOST will have a value like "pppxxx-xxx.lns1.mel2.internode.on.net", which will not match if I attempt to use "example.no-ip.org" in pam_listfile to restrict/allow access. Please tell me if I'm wrong on this point (I'd prefer to use someone else's module if there's one that will do the trick). Also let me know if you think there's a good reason not to do what I plan to do. I am aware that relying on DNS has some inherent issues, however these should not be any worse than the same issues with host used for pam_listfile. I've pretty much finished a module (shamelessly ripped off from pam_listfile) to do what I want, so if people think it would be worthwhile I can put a copy up. Regards, Philip. ------------------------------------------------------- _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
