saslauthd/PAM IP logging on failure

Amir 'CG' Caspi cepheid at 3phase.com
Sat Apr 2 22:29:54 EDT 2011 

Hi all,

	Just wondering if anyone might have any ideas for this one. 
I've been reading through the code but haven't yet figured out how to 
get auth_pam() access to the rhost IP.
	Hopefully someone has either implemented this or has ideas...

Thanks!
						--- Amir

At 4:24 AM -0800 03/26/2011, Amir 'CG' Caspi wrote:
>Hi all,
>
>	This topic has come up before (most recently last summer - 
>http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html), 
>but no resolution was ever reached and this issue has recently 
>become rather important for me as I've been working to secure my 
>server.
>
>	I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the 
>default CentOS/RHEL release version).
>
>	Using the current codebase, when saslauthd experiences an 
>auth failure, it does not log the remote host IP or requested login 
>name.  This is particularly obvious when using PAM, wherein the 
>failure gets logged to /var/log/secure as:
>
>Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth): 
>authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>
>This is a problem because these log entries are essentially useless 
>for automated firewalling, e.g. via fail2ban or BFD.
>
>	In looking through the code, I see that the root cause of the 
>issue is that auth_pam() in saslauthd/auth_pam.c does not include 
>any argument for the rhost, and the requested login info is also 
>(apparently) not passed into the proper field of the pamh structure; 
>thus, neither rhost nor user get recorded by PAM.
>
>	In principle, it should be possible to fill these fields in 
>using (for example) sasl_getprop and pam_set_item, but I am not 
>sufficiently well-versed in the codebase to write such a patch.  (In 
>particular, no sasl_conn_t variable is even present in auth_pam(), 
>which sasl_getprop requires.)
>	A patch was once written for a (very old!) version of 
>cyrus-sasl, v1.5.24 (see 
>http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch), 
>but this appears to have never become a part of the official 
>codebase, and I haven't yet figured out how to forward-port this 
>patch into the current sasl code.
>
>	Has anyone here written or know of a patch for sasl to get 
>saslauthd (particularly using auth_pam, but also for any other auth 
>method) to properly record both the rhost and user fields in the 
>error logs?  If not, would someone be willing to help craft such a 
>patch?
>	I think this would be something very important to get into 
>the codebase, because the PAM errors currently being recorded are of 
>very limited use, particularly for automated firewalls like fail2ban 
>or BFD.
>
>	Any help would be greatly appreciated - I would very much 
>like to finally be able to use fail2ban (or BFD) to kill SMTP AUTH 
>hack attempts.
>
>Thanks in advance.
>						-- Amir

More information about the Cyrus-sasl mailing list