ejabberd does not fill out pam rhost field

[dorchain]

Hello,

as of version 18.12.1, ejabberd does not place anything in the rhost field. Easiest check is with
pam_warn.

Mar 20 13:27:46 Redstar epam: pam_warn(ejabberd:auth): function=[pam_sm_authenticate] flags=0 service=[ejabberd] terminal=[] user=[] ruser=[] rhost=[]

The corresponding functionality in the erlang-p1-pam Package is available
for a while (cfr #1591).

As it is in the ejabberd.log, it should as well be provided to the pam
stack, as it is not a local service (like e.g. cron)

[zinid]

Indeed, ejabberd doesn't fill this field.
I'm a bit clueless, what should be in that field?

[dorchain]

Indeed, ejabberd doesn't fill this field.
I'm a bit clueless, what should be in that field?

Sorry, I overlooked the question.

In my understanding of PAM, the RHOST field contains the remote host from which the connection was initiated.

So for a client connecting to ejabberd to be authenticated with pam, we need:

• PAM_SERVICE: ejabberd (fine)
• PAM_USER: the local user name (not set)
• PAM_RHOST: the remote host (ip addresse or FDQN, not set)

PAM_RUSER is the remote user name on the client machine, in case it is different from the local user name we are trying to authenticate, and optional. (For me I do not care; besides it would be hard the get). PAM_TERMINAL makes sense for ttys. If anything use the same value as for PAM_SERVICE, or just leave it empty.

Besides I would like to point to The Linux-PAM Application Developers' Guide specifically chapter 3.1.3.1.