PAM authentication - Remote host

omalleys at msu.edu omalleys at msu.edu
Wed Jul 14 09:38:36 EDT 2010 

What you are saying is absolutely correct, and it is entirely possible to do.
It should be included in the distribution.

The -correct- way to do this would be to write a sasl pam module. :) however..

If SASL_IPREMOTEPORT actually gets set by the application, it is  
callback to the application through the sasl2 library. IE the data is  
not actually passed to the sasl library when the authentication  
process starts. It is grabbed at a later point in time if needed.

The sasl2 library sends a data string to saslauthd to do the authentication.

As stated before the string that gets sent only contains 4 values and  
there is no interface for the callback to get the data.

The other issue which I am not sure if it has been resolved or not, is  
in the definition of PAM_RHOST. Last I checked (a long while ago) it  
wasn't specified as to whether it should be an IP# or a hostname.

I -believe- the SASL_IPREMOTEPORT data doesnt actually get sent to  
saslauthd for performance reasons. If you do a hostname lookup on the  
data, it tends to slow things down. I believe it is also one of the  
original reasons why the 4 arguments weren't hardcoded like they are  
now.


Quoting fmma at itu.dk:

> In the man pages for the function sasl_getprop
> (http://linux.die.net/man/3/sasl_getprop) it mentions that it is possible
> to get the remote address string by using SASL_IPREMOTEPORT as input to
> the function. I assume that the remote address string would contain a
> value suitable for PAM_RHOST. Is this wrong?
>
> If not, then surely it should be possible for saslauthd to assign a value
> to RHOST (and maybe other items) before the PAM authentication procedure
> commences by calling sasl_getprop and pam_set_item. This may be the code
> twiddling you are referring to, but to me it seems rather fundamental and
> it is my opinion that this should be included in the distributed packages.
>
>   - Frederik
>
>> The saslauthd doesnt have an argument for RHOST or any of the other
>> pam arguments.
>> It only has 4 arguments available. username, password, realm and mech
>> (i think).
>>
>> You can get it to work but you have to twiddle with the code a little bit.
>>
>>
>> Quoting fmma at itu.dk:
>>
>>> Why does Cyrus-SASL not populate the PAM environment items (such as
>>> PAM_RHOST) when using the PAM authentication mechanism ? Am I missing
>>> something?
>>>
>>>   - Frederik
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>

More information about the Cyrus-sasl mailing list