saslauthd/PAM IP logging on failure

[Amir 'CG' Caspi]

At 1:16 AM -0500 04/03/2011, Dan White wrote:
>One approach might be to add an additional item to the protocol that 
>passes the client IP on to PAM.

	Right, that sounds like probably the best (perhaps only) way 
to do it... if saslauthd isn't even getting the remote IP, then the 
first step is to pass the remote IP to saslauthd, so that it can then 
pass it on to whichever auth method it's using (whether that's PAM, 
kerberos, or whatever else).

	Although, that brings up a question: would sendmail then need 
to be modified to pass the rhost IP to saslauthd, as well?  As in, 
would implementing this change not do anything, if sendmail isn't 
also modified?

>I think this is something needs to be fixed in a logical, and supportable
>way.

	Agreed!  And, based on Google searches (and this own list's 
history), I know I'm not the only one who wants to see saslauthd 
properly logging the remote IP (whether it's via PAM or via any other 
authentication method).

>Is your goal to see the IP address of a failed login attempt within syslog?
>Or is your ultimate goal to make use of the ip address within a pam module
>to make authentication decisions?

	The first one - I want to see the IP address of the failed 
login within syslog, so that brute-force detection utilities (e.g. 
fail2ban or BFD) can then use that information to ban those IPs. 
This would allow prevention of hack attempts or DDoS attacks 
automatically.

	Of course, having the IP within the PAM module would 
obviously also allow authenatication decisions (e.g. for people who 
want to restrict usage to certain subnets), but my primarily goal is 
just getting the IP address in the logs.

(The requested username would be nice, too, since that information is 
already there - it's already being passed to saslauthd, but, for some 
reason, is also not being logged by PAM.  But, the rhost IP is the 
paramount piece of info.)

Thanks. =)
						--- Amir