saslauthd SASL_IPREMOTEPORT -> PAM_RHOST
Amir 'CG' Caspi
cepheid at 3phase.com
Mon May 23 14:43:14 EDT 2011
Hi all,
Ah, I see. That makes sense. I see that PAM does only log
the user info if it's a known user... I checked my SSH logs, for
example, and you're right - the user field is populated only for
existing users.
So, I can see why to avoid setting PAM_USER.
Of course, the rhost really is the most important piece
anyway, since that's what I need for firewalling. I can live without
the bad username, since apparently it's not logged anyway even with
other services.
I'll try to compile a local copy of cyrus-sasl to see if this
patch works for me, though I unfortunately don't have a test server
(only a production server) so I'm not sure when I can find some
downtime to test this.
Thanks for the help so far, Lorenzo! (And Sean!)
--- Amir
At 8:33 PM +0200 05/23/2011, Lorenzo M. Catucci wrote:
>On 05/23/2011 08:10 PM, omalleys at msu.edu wrote:
>>
>> My understanding is that it is up to the calling application to log
>> the data like CyrusMail should be logging auths,
>
>VERY, VERY TRUE!!! Sorry for AOL-ing!
>
>> If you use PAM_SET_ITEM on PAM_USER it is actually only a temporary
>> change, and won't get passed back to the calling application. And I
>> don't recall off the top of my head whether this gets passed through
>> the rest of the pam stack or not.
>
>Really, PAM_USER should be treated as a "read only" item by the
>application, as I tried to express in my previous mail;
>on the other hand, RUSER should be set from the application only when
>really defined; in the case of an unknown
>requestor, one can as well set RUSER to "anonymous" or "root", but not
>to the proposed login.
>
>Thank you very much, yours
>
> lorenzo
More information about the Cyrus-sasl
mailing list