Bug#620877: pam_access reports hostname as 'pure-ftpd' when unable to reverse lookup ip

Mon, 04 Apr 2011 13:33:19 -0700 

Package: pure-ftpd
Version: 1.0.30-1

When attempting to use pam_access in combination with pure-ftpd, I get
the following odd behaviour:

My /etc/pam.d/pure-ftpd file contains this line:

account  required     pam_access.so

My /etc/security/access.conf file contains these lines:

# Allow logins only from 192.168.1.2 and 192.168.1.3
+:ALL:192.168.1.2 192.168.1.3
-:ALL:ALL


When a connection starts, and the source ip address can be reverse
lookup'ed, then everything works as expected.  However, when the ip
address cannot be reverse lookup'ed, pam_access complains with the
following message in /var/log/auth.log:

pure-ftpd: pam_access(pure-ftpd:account): access denied for user `testuser' 
from `pure-ftpd'

pam_access seems to have received the string 'pure-ftpd' as the remote
host.  Since that's not 192.168.1.2 nor 192.168.1.3, it denies access.


Looking at the debian patch for pure-ftpd, I can see the following
within pure-ftpd-1.0.30/src/log_pam.c (near line 167):

hent = gethostbyaddr(&STORAGE_SIN_ADDR(*peer), sizeof(STORAGE_SIN_ADDR(*peer)), 
AF_INET);
...
if (!hent)
    (void)pam_set_item(pamh, PAM_RHOST, NULL);
else
    (void)pam_set_item(pamh, PAM_RHOST, hent->h_name);

So this looks like whenever the ip address cannot be resolved to a
hostname, NULL is submitted back to pam as the remote host.
(Presumably, pam is interpreting this as the service name, ie
'pure-ftpd'.)

However, if the above code is changed to this:

hent = gethostbyaddr(&STORAGE_SIN_ADDR(*peer), sizeof(STORAGE_SIN_ADDR(*peer)), 
AF_INET);
...
if (!hent) {
    struct in_addr tmp;
    tmp.s_addr = STORAGE_SIN_ADDR(*peer);
    (void)pam_set_item(pamh, PAM_RHOST, inet_ntoa(tmp));
}
else
    (void)pam_set_item(pamh, PAM_RHOST, hent->h_name);

Then pam receives the ip address (in this case, the string
"192.168.1.2") and accepts the connection as expected.

This seems to resolve the problem for me.  I'm not an expert at pam
programming though, so I don't know if this is even legit or if I'm
violating some pam rule by passing the ip address as the hostname.
Additionally, some extra stuff will definitely need to be added to allow
it to work with ipv6 (which I've completely ignored here).

Thanks,

Rich.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to