Date: Mon, 31 Aug 1998 12:16:37 +0200
From: Max Liccardo <mliccardo@tim.it>
To: pam-list@redhat.com
Subject: Re: Error with pam_access.so
Status: RO
Jeremy Bettis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is there any auth module that can limit by ip number?
>
> Telnet seems to ignore the account modules. I'd really like something
> like pam_tcp_wrappers...
>
>
Ok,
I wrote just for funny a pam_tcp_wrappers module .....and it seems to work !!
(tried on linux only, sorry, I don't have a Solaris 2.6 at home.....).
I used some existing code to start, so thanks to the pam developers !!!!
-----------------------cut here--------------------------------------
/* pam_tcpd module */
/*
* $Id: pam_tcpd.c,v 1.0 1998/07/25 17:13:17 max Exp max $
*
* Written by Max Liccardo <m.liccardo@macronet.it> 1998/7/21
*
* $Log: pam_tcpd.c,v $
* Revision 1.0 1998/07/25 17:13:17 max
* Initial revision
*
*
* gcc -fPIC -c pam_tcpd.c
* ld -x --shared -o pam_tcpd.so pam_tcpd.o -lwrap -lpam -lc
*/
#include <stdio.h>
#include <syslog.h>
#include <stdarg.h>
#include <tcpd.h>
/*
* here, we make a definition for the externally accessible function
* in this file (this definition is required for static a module
* but strongly encouraged generally) it is used to instruct the
* modules include file to define the function prototypes.
*/
#define PAM_SM_AUTH
int allow_severity;
int deny_severity;
#include <security/pam_modules.h>
/* some syslogging */
static void _pam_log(int err, const char *format, ...)
{
va_list args;
va_start(args, format);
openlog("PAM-tcpd", LOG_PID, LOG_AUTHPRIV);
vsyslog(err, format, args);
va_end(args);
closelog();
}
/* argument parsing */
#define PAM_DEBUG_ARG 01
static int _pam_parse(int argc, const char **argv)
{
int ctrl=0;
/* step through arguments */
for (ctrl=0; argc-- > 0; ++argv) {
/* generic options */
if (!strcmp(*argv,"debug"))
ctrl |= PAM_DEBUG_ARG;
else {
_pam_log(LOG_ERR,"pam_parse: unknown option %s",*argv);
}
}
return ctrl;
}
/* --- authentication management functions (only) --- */
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
,const char **argv)
{
struct request_info s_rqinfo;
int ctrl;
int retval;
char *lpszRHost,
*lpszRUser,
*lpszServiceName;
ctrl = _pam_parse(argc, argv);
retval = pam_get_item(pamh,PAM_SERVICE,(const void **)&lpszServiceName);
if(retval != PAM_SUCCESS)
{
_pam_log(LOG_ERR,"cannot obtain service name: %s",
pam_strerror(pamh,retval));
return(PAM_AUTHINFO_UNAVAIL);
}
retval = pam_get_item(pamh,PAM_RHOST,(const void **)&lpszRHost);
if(retval != PAM_SUCCESS)
{
_pam_log(LOG_ERR,"cannot obtain remote host name: %s",
pam_strerror(pamh,retval));
return(PAM_AUTHINFO_UNAVAIL);
}
retval = pam_get_item(pamh,PAM_RUSER,(const void **)&lpszRUser);
if((retval != PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG))
{
_pam_log(LOG_DEBUG,"cannot obtain remote username: %s",
pam_strerror(pamh,retval));
}
if (ctrl & PAM_DEBUG_ARG) {
_pam_log(LOG_DEBUG, "required authetication for SERVICE %s FROM %s@%s"
,lpszServiceName,lpszRUser,lpszRHost);
}
request_init(&s_rqinfo,RQ_CLIENT_NAME,lpszRHost,
RQ_DAEMON,lpszServiceName,
RQ_USER,lpszRUser,
0);
retval = ((hosts_access(&s_rqinfo) == 0) ? PAM_AUTH_ERR : PAM_SUCCESS);
return retval;
}
PAM_EXTERN
int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc
,const char **argv)
{
return PAM_SUCCESS;
}
#ifdef PAM_STATIC
/* static module data */
struct pam_module _pam_tcpd_modstruct = {
"pam_tcpd",
pam_sm_authenticate,
pam_sm_setcred,
NULL,
NULL,
NULL,
NULL,
};
#endif
/* end of module definition */
------------------------------cut here-----------------------------
--
Max Liccardo mliccardo@tim.it (at work)
m.liccardo@flashnet.it (at home,sweet home)
"..fatti non foste per viver come bruti,
ma per seguir virtute e cAnoscenza .."
--
To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null