saslauthd SASL_IPREMOTEPORT -> PAM_RHOST

Amir 'CG' Caspi cepheid at 3phase.com
Mon May 23 14:43:14 EDT 2011


Hi all,

	Ah, I see.  That makes sense.  I see that PAM does only log 
the user info if it's a known user... I checked my SSH logs, for 
example, and you're right - the user field is populated only for 
existing users.
	So, I can see why to avoid setting PAM_USER.

	Of course, the rhost really is the most important piece 
anyway, since that's what I need for firewalling.  I can live without 
the bad username, since apparently it's not logged anyway even with 
other services.

	I'll try to compile a local copy of cyrus-sasl to see if this 
patch works for me, though I unfortunately don't have a test server 
(only a production server) so I'm not sure when I can find some 
downtime to test this.

	Thanks for the help so far, Lorenzo!  (And Sean!)

						--- Amir

At 8:33 PM +0200 05/23/2011, Lorenzo M. Catucci wrote:
>On 05/23/2011 08:10 PM, omalleys at msu.edu wrote:
>>
>>  My understanding is that it is up to the calling application to log
>>  the data like CyrusMail should be logging auths,
>
>VERY, VERY TRUE!!! Sorry for AOL-ing!
>
>>  If you use PAM_SET_ITEM on PAM_USER it is actually only a temporary
>>  change, and won't get passed back to the calling application. And I
>>  don't recall off the top of my head whether this gets passed through
>>  the rest of the pam stack or not.
>
>Really, PAM_USER should be treated as a "read only" item by the
>application, as I tried to express in my previous mail;
>on the other hand, RUSER should be set from the application only when
>really defined; in the case of an unknown
>requestor, one can as well set RUSER to "anonymous" or "root", but not
>to the proposed login.
>
>Thank you very much, yours
>
>         lorenzo


More information about the Cyrus-sasl mailing list