saslauthd/PAM IP logging on failure

[Dan White]

>Hi all,
>
>	Just wondering if anyone might have any ideas for this one. I've 
>been reading through the code but haven't yet figured out how to get 
>auth_pam() access to the rhost IP.
>	Hopefully someone has either implemented this or has ideas...
>
>Thanks!
>						--- Amir

Hi Amir,

I think the old patch your referenced attempted to shim PAM into checkpw.c
within the glue layer, except that PAM is contained entirely within
saslauthd, which runs in a separate process.

The saslauthd 'protocol' gets passed the following information via a unix
socket:
   userid
   password
   servicename
   realm

And would never have the IP address to pass to PAM. One approach might be
to add an additional item to the protocol that passes the client IP
on to PAM.

cyrus imap logs failed authentications with the client IP address to
syslog, but doesn't include the username, probably because the username
can't always be determined until a successful authentication is negotiated
(such as with GSSAPI).

I think this is something needs to be fixed in a logical, and supportable
way.

Is your goal to see the IP address of a failed login attempt within syslog?
Or is your ultimate goal to make use of the ip address within a pam module
to make authentication decisions?

>At 4:24 AM -0800 03/26/2011, Amir 'CG' Caspi wrote:
>>Hi all,
>>
>>	This topic has come up before (most recently last summer - http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html), 
>>but no resolution was ever reached and this issue has recently 
>>become rather important for me as I've been working to secure my 
>>server.
>>
>>	I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the default 
>>CentOS/RHEL release version).
>>
>>	Using the current codebase, when saslauthd experiences an auth 
>>failure, it does not log the remote host IP or requested login 
>>name.  This is particularly obvious when using PAM, wherein the 
>>failure gets logged to /var/log/secure as:
>>
>>Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth): 
>>authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>
>>This is a problem because these log entries are essentially useless 
>>for automated firewalling, e.g. via fail2ban or BFD.
>>
>>	In looking through the code, I see that the root cause of the 
>>issue is that auth_pam() in saslauthd/auth_pam.c does not include 
>>any argument for the rhost, and the requested login info is also 
>>(apparently) not passed into the proper field of the pamh 
>>structure; thus, neither rhost nor user get recorded by PAM.
>>
>>	In principle, it should be possible to fill these fields in using 
>>(for example) sasl_getprop and pam_set_item, but I am not 
>>sufficiently well-versed in the codebase to write such a patch.  
>>(In particular, no sasl_conn_t variable is even present in 
>>auth_pam(), which sasl_getprop requires.)
>>	A patch was once written for a (very old!) version of cyrus-sasl, 
>>v1.5.24 (see 
>>http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch), 
>>but this appears to have never become a part of the official 
>>codebase, and I haven't yet figured out how to forward-port this 
>>patch into the current sasl code.
>>
>>	Has anyone here written or know of a patch for sasl to get 
>>saslauthd (particularly using auth_pam, but also for any other auth 
>>method) to properly record both the rhost and user fields in the 
>>error logs?  If not, would someone be willing to help craft such a 
>>patch?
>>	I think this would be something very important to get into the 
>>codebase, because the PAM errors currently being recorded are of 
>>very limited use, particularly for automated firewalls like 
>>fail2ban or BFD.
>>
>>	Any help would be greatly appreciated - I would very much like to 
>>finally be able to use fail2ban (or BFD) to kill SMTP AUTH hack 
>>attempts.

-- 
Dan White