saslauthd SASL_IPREMOTEPORT -> PAM_RHOST

omalleys at msu.edu omalleys at msu.edu
Mon May 23 14:10:17 EDT 2011 


Quoting Amir 'CG' Caspi <cepheid at 3phase.com>:

> On Mon, 23 May 2011 at 02:59:58 -0700, Amir 'CG' Caspi wrote:
>> 	As for the remote user, I can see that saslauthd does receive that  
>> info, but it doesn't log it via PAM, as you can see.  I believe  
>> this is because the remote user is not being passed into the  
>> correct field of the pamh struct, within auth_pam.  It's being  
>> passed into the login field, but it should also be passed into the  
>> user field, I believe.  I'm not a PAM expert, so I can't be sure,  
>> but I think this is the case.
>
> After looking at auth_pam() some more and after reading a bit of PAM  
> documentation, I think that in addition to PAM_RHOST, one also needs  
> to set PAM_USER.  This is done with pam_set_item, just as for  
> PAM_RHOST.
>
> I *THINK* a simple call such as:
>
> pam_set_item(pamh, PAM_USER, login)
>
> would work to get PAM to recognize the username and log it  
> appropriately.  This would be done in the same place as setting  
> PAM_RHOST.
>
> Could you try this on your patched copy to see if it works?  If so,  
> the patch can be updated to include this line, and I think that  
> would fix pretty much everything. =)

My understanding is that it is up to the calling application to log  
the data like CyrusMail should be logging auths, if you enable the  
debug flag for the pam modules, or saslauthd, you will get additional  
debug information which includes the information you are looking for.  
However, it is more aimed at developers then it is end users.

Off the top of my head, PAM_USER is passed into the initial structure  
via an enviromental variable, pam_rhost is actually is actually set  
via a callback to an existing pointer.

If you use PAM_SET_ITEM on PAM_USER it is actually only a temporary  
change, and won't get passed back to the calling application. And I  
don't recall off the top of my head whether this gets passed through  
the rest of the pam stack or not.

IE you auth cyrusmail, as user ME, then user ME, get passed to pam, if  
you first module Pam_changeME.so changes the PAM_USER variable to the  
user YOU for the rest of the auth session, then you will see in your  
cyrusmail logs user=ME auth failed. in your pam debug logs, you will  
see user=YOU failed for the pam_changeme.so debug session.

Kind of make sense?

More information about the Cyrus-sasl mailing list