Date: Mon, 31 Aug 1998 12:16:37 +0200 From: Max Liccardo To: pam-list@redhat.com Subject: Re: Error with pam_access.so Status: RO Jeremy Bettis wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is there any auth module that can limit by ip number? > > Telnet seems to ignore the account modules. I'd really like something > like pam_tcp_wrappers... > > Ok, I wrote just for funny a pam_tcp_wrappers module .....and it seems to work !! (tried on linux only, sorry, I don't have a Solaris 2.6 at home.....). I used some existing code to start, so thanks to the pam developers !!!! -----------------------cut here-------------------------------------- /* pam_tcpd module */ /* * $Id: pam_tcpd.c,v 1.0 1998/07/25 17:13:17 max Exp max $ * * Written by Max Liccardo 1998/7/21 * * $Log: pam_tcpd.c,v $ * Revision 1.0 1998/07/25 17:13:17 max * Initial revision * * * gcc -fPIC -c pam_tcpd.c * ld -x --shared -o pam_tcpd.so pam_tcpd.o -lwrap -lpam -lc */ #include #include #include #include /* * here, we make a definition for the externally accessible function * in this file (this definition is required for static a module * but strongly encouraged generally) it is used to instruct the * modules include file to define the function prototypes. */ #define PAM_SM_AUTH int allow_severity; int deny_severity; #include /* some syslogging */ static void _pam_log(int err, const char *format, ...) { va_list args; va_start(args, format); openlog("PAM-tcpd", LOG_PID, LOG_AUTHPRIV); vsyslog(err, format, args); va_end(args); closelog(); } /* argument parsing */ #define PAM_DEBUG_ARG 01 static int _pam_parse(int argc, const char **argv) { int ctrl=0; /* step through arguments */ for (ctrl=0; argc-- > 0; ++argv) { /* generic options */ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; else { _pam_log(LOG_ERR,"pam_parse: unknown option %s",*argv); } } return ctrl; } /* --- authentication management functions (only) --- */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc ,const char **argv) { struct request_info s_rqinfo; int ctrl; int retval; char *lpszRHost, *lpszRUser, *lpszServiceName; ctrl = _pam_parse(argc, argv); retval = pam_get_item(pamh,PAM_SERVICE,(const void **)&lpszServiceName); if(retval != PAM_SUCCESS) { _pam_log(LOG_ERR,"cannot obtain service name: %s", pam_strerror(pamh,retval)); return(PAM_AUTHINFO_UNAVAIL); } retval = pam_get_item(pamh,PAM_RHOST,(const void **)&lpszRHost); if(retval != PAM_SUCCESS) { _pam_log(LOG_ERR,"cannot obtain remote host name: %s", pam_strerror(pamh,retval)); return(PAM_AUTHINFO_UNAVAIL); } retval = pam_get_item(pamh,PAM_RUSER,(const void **)&lpszRUser); if((retval != PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { _pam_log(LOG_DEBUG,"cannot obtain remote username: %s", pam_strerror(pamh,retval)); } if (ctrl & PAM_DEBUG_ARG) { _pam_log(LOG_DEBUG, "required authetication for SERVICE %s FROM %s@%s" ,lpszServiceName,lpszRUser,lpszRHost); } request_init(&s_rqinfo,RQ_CLIENT_NAME,lpszRHost, RQ_DAEMON,lpszServiceName, RQ_USER,lpszRUser, 0); retval = ((hosts_access(&s_rqinfo) == 0) ? PAM_AUTH_ERR : PAM_SUCCESS); return retval; } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc ,const char **argv) { return PAM_SUCCESS; } #ifdef PAM_STATIC /* static module data */ struct pam_module _pam_tcpd_modstruct = { "pam_tcpd", pam_sm_authenticate, pam_sm_setcred, NULL, NULL, NULL, NULL, }; #endif /* end of module definition */ ------------------------------cut here----------------------------- -- Max Liccardo mliccardo@tim.it (at work) m.liccardo@flashnet.it (at home,sweet home) "..fatti non foste per viver come bruti, ma per seguir virtute e cAnoscenza .." -- To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null