Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set PAM_RHOST in saslauthd's auth_pam #346

Open
brong opened this issue May 22, 2011 · 11 comments
Open

Set PAM_RHOST in saslauthd's auth_pam #346

brong opened this issue May 22, 2011 · 11 comments
Assignees

Comments

@brong
Copy link
Member

@brong brong commented May 22, 2011

From: Lorenzo M. Catucci
Bugzilla-Id: 3468
Version: 2.1.x
Owner: Ken Murchison

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented May 22, 2011

From: Lorenzo M. Catucci

Please find a patch I've just written (and very lightly tested) to let
saslauthd know the SASL_IPREMOTEPORT and in turn set the PAM_RHOST item
within the pam context.

I'm attaching two versions of my changes, since there were some conflicts
between the work I've done for 2.1.23 and the upstream changes applied to the upcoming 2.1.24 version.

I'd be grateful about any comment - review - test which could help with
upstreaming my patch.

The changes to ipc_doors.c are untested, since I don't have a working
account on a solaris system.

From what I've seen on google, there is at least a couple of people
interested in these changes, since the have been repeatedly requested, both
on sasl mailing list and on RedHat's bugzilla:

http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-March/002218.html
"saslauthd/PAM IP logging on failure" - 2011-03-26

https://bugzilla.redhat.com/show_bug.cgi?id=683797
"saslauthd using pam does not log rhost (remote host) IP/hostname
or requested login in /var/log/secure" - 2011-03-10

http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html
"PAM authentication - Remote host" - 2010-07-13

http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-May/002085.html
"remote client ip" - 2010-05-24

While the changes are really limited, I'm hereby expressely authorize redistribution and use under the original file's licence.

In detail:

  1. lib/checkpw.c: 4 clause bsd-like licence *cmu
  2. saslauthd/auth_dce.{c,h}: 2 clause bsd-like licence - *md
  3. saslauthd/auth_getpwent.{c,h}: 2 clause bsd-like licence - *md
  4. saslauthd/auth_httpform.{c,h}: 2 clause bsd-like licence - *pe
  5. saslauthd/auth_krb4.{c,h}: 2 clause bsd-like licence - *md
  6. saslauthd/auth_krb5.{c,h}: 2 clause bsd-like licence - *md
  7. saslauthd/auth_ldap.{c,h}: 2 clause bsd-like licence - *ib
  8. saslauthd/auth_pam.{c,h}: 2 clause bsd-like licence - *fk
  9. saslauthd/auth_rimap.{c,h}: 2 clause bsd-like licence - *md
  10. saslauthd/auth_sasldb.{c,h}: 2 clause bsd-like licence - *md
  11. saslauthd/auth_shadow.{c,h}: 2 clause bsd-like licence - *md
  12. saslauthd/auth_sia.{c,h}: 2 clause bsd-like licence - *md
  13. saslauthd/ipc_doors.c: 2 clause bsd-like licence - *md
  14. saslauthd/ipc_unix.c: 2 clause bsd-like licence - *md
  15. saslauthd/mechanisms.h: 2 clause bsd-like licence - *md
    16: saslauthd/saslauthd-main.{c,h}: 2 clause bsd-like licence - *md

*cmu - Carnegie Mellon University.
*md - Messaging Direct Ltd.
*pe - Pyx Engineering AG
*ib - Igor Brezac
*fk - Fabian Knittel

As for the copyright, I would be equally satisfied, at sasl project's representative's sole option, either if it would be assigned to the respective file's copyright owner, or if a statement was added in each of the modified .c files declaring my own copyright on the changed portions.

Thank you very much for reading this far... yours

               lorenzo m. catucci
@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented May 22, 2011

Attachment-Id: 1390
From: Lorenzo M. Catucci
Type: text/plain
File: saslauthd_pam_rhost_2.1.23.diff

Enable PAM_RHOST on cyrus-sasl 2.1.23

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented May 22, 2011

Attachment-Id: 1391
From: Lorenzo M. Catucci
Type: text/plain
File: saslauthd_pam_rhost_2.1.24rc1.diff

Enable PAM_RHOST on upcoming cyrus-sasl 2.1.24

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented May 22, 2011

From: Lorenzo M. Catucci

Just for the records: most of the recorded changes are simply a global
API change.

The only places where there is a significant change are the following
files:

  • lib/checkpw.c
  • saslauthd/auth_pam.c
  • saslauthd/ipc_doors.c
  • saslauthd/ipc_unix.c

The changes in saslauthd/saslauthd-main.c are really minor.

As could be seen from the diffstat:

lib/checkpw.c | 25 +++++++++++++++++++++----
saslauthd/auth_dce.c | 6 ++++--
saslauthd/auth_dce.h | 2 +-
saslauthd/auth_getpwent.c | 3 ++-
saslauthd/auth_getpwent.h | 2 +-
saslauthd/auth_httpform.c | 3 ++-
saslauthd/auth_httpform.h | 2 +-
saslauthd/auth_krb4.c | 6 ++++--
saslauthd/auth_krb4.h | 2 +-
saslauthd/auth_krb5.c | 9 ++++++---
saslauthd/auth_krb5.h | 2 +-
saslauthd/auth_ldap.c | 6 ++++--
saslauthd/auth_ldap.h | 2 +-
saslauthd/auth_pam.c | 14 ++++++++++++--
saslauthd/auth_pam.h | 2 +-
saslauthd/auth_rimap.c | 3 ++-
saslauthd/auth_rimap.h | 2 +-
saslauthd/auth_sasldb.c | 5 +++--
saslauthd/auth_sasldb.h | 2 +-
saslauthd/auth_shadow.c | 6 ++++--
saslauthd/auth_shadow.h | 2 +-
saslauthd/auth_sia.c | 6 ++++--
saslauthd/auth_sia.h | 2 +-
saslauthd/ipc_doors.c | 19 ++++++++++++++++++-
saslauthd/ipc_unix.c | 21 +++++++++++++++++++--
saslauthd/mechanisms.h | 4 ++--
saslauthd/saslauthd-main.c | 16 ++++++++--------
saslauthd/saslauthd-main.h | 3 ++-
28 files changed, 128 insertions(+), 49 deletions(-)

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented May 28, 2011

From: Amir Caspi

Lorenzo has confirmed on the mailing list that the 2.1.23 patch applies cleanly to 2.1.22 as well. It would be greatly appreciated if these patches could be rolled into the respective versions... in particular. 2.1.22 is still being used by RHEL, so backporting these changes to 2.1.22 would be greatly beneficial as well. RHEL is likely to incorporate these changes only if they are first accepted here, upstream.

Thanks.

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented Aug 9, 2011

Attachment-Id: 1409
From: Lorenzo M. Catucci
Type: text/plain
File: saslauthd_pam_rhost_2.1.24rc1.diff

Corrected version of the 2.1.24 patch

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented Oct 29, 2011

From: Amir Caspi

Just wondering if there is an ETA on incorporating this patch into saslauthd... and, particularly, in backporting it to v2.1.22 for inclusion in RHEL/CentOS.

For the record, I've opened downstream bugs at RHEL and CentOS:
https://bugzilla.redhat.com/show_bug.cgi?id=683797
http://bugs.centos.org/view.php?id=4760

So far, unfortunately, no motion on either.

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented Dec 5, 2013

From: Kelsey Cummings

Just a bump, this would be a good feature for support and is currently blocking us from having centralized user/ip auth logs where the authentication is passing through cyrus sasl. Was there something wrong with these patches that they weren't pulled in?

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented Dec 5, 2013

From: Amir Caspi

(In reply to comment #7)
> Was there something wrong with these patches that they weren't pulled in?

Per the linked RedHat bug (see above), RHEL devs said the patch, as currently implemented, broke compatibility with certain clients. See comments 10-12 and 16 in the linked bug. See also comment 20 there.

RHEL won't implement this fix until it complies with whatever they're claiming is broken. They've already closed the bug as a WONTFIX. I think the only way to get them to reopen this and backport any changes would be if the patch addresses their concerns. It looks like the only way to do that is to modify saslauthd so that it won't block when it doesn't receive the rhost (per comment 16 in the linked bug), or to implement some other means of encoding the rhost in the existing 4 atoms being sent (see comment 17).

@brong

This comment has been minimized.

Copy link
Member Author

@brong brong commented Oct 25, 2016

From: Lorenzo M. Catucci

I've just rebased the patches to github's master and submitted as

https://github.com/cyrusimap/cyrus-sasl/pull/6

As from this updated request, I've adapted testsaslauthd to the changed protocol ABI, which should solve the problems seen by RH developers.

Thank you.

@K2IE

This comment has been minimized.

Copy link

@K2IE K2IE commented Apr 25, 2019

Any activity or updates on resolving this issue? It remains an issue on FC 29 as of April 2019.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.