Re: [HACKERS] pam auth - add rhost item

Tue, 13 Oct 2015 13:14:19 -0700 

Yes, sorry. I was in hurry when I posted this message.
I dont understand whay in CheckPAMAuth function only PAM_USER item is
adding to pam information before authenticate?
Wheter it would be a problem to set additional pam information like
PAM_RHOST which is very useful because we can use this item to restrict
access to this ip address.
I hope I'm more specific now and you will understand me.
Sorry, but I'm not native english speaker.
Patch in attachment, and link below to web-view on github:
https://github.com/grzsmp/postgres/commit/5e2b102ec6de27e786d627623dcb187e997609e4

On Tue, Oct 13, 2015 at 7:08 PM, Robert Haas <robertmh...@gmail.com> wrote:

> On Mon, Oct 12, 2015 at 12:01 PM, kolo hhmow <grz...@gmail.com> wrote:
> > Wheter it would be a problem to set additional item (rhost) before
> > pam_authentication function in backend/libpq/auth.c?
> > It is very useful because you can restrict access to given ip address
> like
> > in mysql.
> > And this actually utilized in pam-pgsql, wich cannot be used because
> rhost
> > item is empty.
>
> I can't understand what you are suggesting here.  Perhaps you could be
> more specific, or propose a patch.
>
> --
> Robert Haas
> EnterpriseDB: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index aca4ffe..1cff899 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1736,7 +1736,9 @@ CheckPAMAuth(Port *port, char *user, char *password)
 {
 	int			retval;
 	pam_handle_t *pamh = NULL;
-
+	char hostinfo[NI_MAXHOST];
+        pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+                        hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST);
 	/*
 	 * We can't entirely rely on PAM to pass through appdata --- it appears
 	 * not to work on at least Solaris 2.6.  So use these ugly static
@@ -1780,6 +1782,16 @@ CheckPAMAuth(Port *port, char *user, char *password)
 		pam_passwd = NULL;		/* Unset pam_passwd */
 		return STATUS_ERROR;
 	}
+	
+	retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
+	if (retval != PAM_SUCCESS)
+	{
+		ereport(LOG,
+                                (errmsg("pam_set_item(PAM_RHOST) failed: %s",
+                                        	pam_strerror(pamh, retval))));
+                pam_passwd = NULL;      	/* Unset pam_passwd */
+                return STATUS_ERROR;
+	}
 
 	retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
 

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to