Re: [HACKERS] pam auth - add rhost item

Mon, 28 Dec 2015 15:47:41 -0800 

Hi.
I thought link on commitfest to github url was sufficient.
Sorry. Attached new patch.

On 12/28/2015 09:07 PM, David Fetter wrote:
> Please attach the patch or patch set to your email just like else
> does


diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index cdc5bf1..d42cc76 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1735,6 +1735,20 @@ CheckPAMAuth(Port *port, char *user, char *password)
 {
 	int			retval;
 	pam_handle_t *pamh = NULL;
+	char hostinfo[NI_MAXHOST];
+
+	if (port->hba->pamusedns == true)
+		retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+				hostinfo, sizeof(hostinfo), NULL, 0, 0);
+	else
+		retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+				hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST);
+	if (retval) {
+		ereport(LOG,
+				(errmsg("(pam) couldn not determine the remote host information (%s)",
+					gai_strerror(retval))));
+		return STATUS_ERROR;
+	}
 
 	/*
 	 * We can't entirely rely on PAM to pass through appdata --- it appears
@@ -1780,6 +1794,17 @@ CheckPAMAuth(Port *port, char *user, char *password)
 		return STATUS_ERROR;
 	}
 
+	retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
+
+	if (retval != PAM_SUCCESS)
+	{
+		ereport(LOG,
+				(errmsg("pam_set_item(PAM_RHOST) failed: %s",
+					pam_strerror(pamh, retval))));
+		pam_passwd = NULL;
+		return STATUS_ERROR;
+	}
+
 	retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
 
 	if (retval != PAM_SUCCESS)
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 94f7cfa..db3fe3c 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1447,6 +1447,15 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
 		REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam");
 		hbaline->pamservice = pstrdup(val);
 	}
+	else if (strcmp(name, "pamusedns") == 0)
+	{
+		REQUIRE_AUTH_OPTION(uaPAM, "pamusedns", "pam");
+		if (strcmp(val, "1") == 0)
+			hbaline->pamusedns = true;
+		else
+			hbaline->pamusedns = false;
+
+	}
 	else if (strcmp(name, "ldapurl") == 0)
 	{
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 68a953a..f39240d 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -64,6 +64,7 @@ typedef struct HbaLine
 
 	char	   *usermap;
 	char	   *pamservice;
+	bool		pamusedns;
 	bool		ldaptls;
 	char	   *ldapserver;
 	int			ldapport;

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to