Authentication failure journal entries do not show the client IP address

[joseph-reynolds]

Describe the bug
BMCWeb authentication failures do not provide the client IP address. This is needed to help diagnose when multiple clients are connecting to the BMC.

Environment
No special environment is needed.

This was tried on IBM's fork at https://github.com/ibm-openbmc/bmcweb/tree/1030/.

To Reproduce
Steps to reproduce the behavior:

1. Attempt to log into BMCWeb using password authentication with incorrect credentials (username or password).
2. BMCWeb via Linux PAM writes a journal message like pam_unix(webserver:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
3. Expected behavior was to see correct values for ruser & rhost.

Is this a regression
This is not a regression.

[joseph-reynolds]

Solution idea.

Background: I think the log entry logname= uid=0 euid=0 tty= ruser= rhost= user=admin is written via: https://github.com/linux-pam/linux-pam/blob/4ce09656536911d9048519b8ee18e53353c9cae8/modules/pam_unix/support.c#L782. In this function, the rhost value is retrieved from pam_get_item(pamh, PAM_RHOST, &rhost).

Solution idea: If the BMCWeb server used pam_set_item(pamh, PAM_RHOST, &rhost) after pam_start and before pam_authenticate, about here: https://github.com/openbmc/bmcweb/blob/master/include/pam_authenticate.hpp#L104
then PAM would log the client IP address.

That information is in the HTTP Request structure, ipAddress field and could be passed into the pamAuthenticateUser function.

[edtanous]

This was tried on IBM's fork at https://github.com/ibm-openbmc/bmcweb/tree/1030/.

Please file bugs only against code in this tree. Feel free to file bugs for the ibm fork in the ibm fork.

So far as I can tell, this is working as designed, nobody has built out this feature, so this isn't a bug. Feel free to have a discussion on discord or the mailing list.