From owner-svn-src-head@FreeBSD.ORG Fri Jan 16 09:07:32 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 047BF1A7; Fri, 16 Jan 2015 09:07:32 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E4805DE; Fri, 16 Jan 2015 09:07:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0G97Vvt039561; Fri, 16 Jan 2015 09:07:31 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0G97Vo8039560; Fri, 16 Jan 2015 09:07:31 GMT (envelope-from des@FreeBSD.org) Message-Id: <201501160907.t0G97Vo8039560@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Fri, 16 Jan 2015 09:07:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r277237 - head/lib/libpam/modules/pam_radius X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2015 09:07:32 -0000 Author: des Date: Fri Jan 16 09:07:31 2015 New Revision: 277237 URL: https://svnweb.freebsd.org/changeset/base/277237 Log: If PAM_RHOST is non-NULL, pass it in the Calling-Station-ID attribute of the RADIUS access request. MFC after: 1 week Modified: head/lib/libpam/modules/pam_radius/pam_radius.c Modified: head/lib/libpam/modules/pam_radius/pam_radius.c ============================================================================== --- head/lib/libpam/modules/pam_radius/pam_radius.c Fri Jan 16 07:06:58 2015 (r277236) +++ head/lib/libpam/modules/pam_radius/pam_radius.c Fri Jan 16 09:07:31 2015 (r277237) @@ -62,11 +62,11 @@ __FBSDID("$FreeBSD$"); #define PASSWORD_PROMPT "RADIUS Password:" static int build_access_request(struct rad_handle *, const char *, - const char *, const char *, const char *, const void *, - size_t); + const char *, const char *, const char *, const char *, + const void *, size_t); static int do_accept(pam_handle_t *, struct rad_handle *); static int do_challenge(pam_handle_t *, struct rad_handle *, - const char *, const char *, const char *); + const char *, const char *, const char *, const char *); /* * Construct an access request, but don't send it. Returns 0 on success, @@ -75,7 +75,7 @@ static int do_challenge(pam_handle_t *, static int build_access_request(struct rad_handle *radh, const char *user, const char *pass, const char *nas_id, const char *nas_ipaddr, - const void *state, size_t state_len) + const char *rhost, const void *state, size_t state_len) { int error; char host[MAXHOSTNAMELEN]; @@ -121,8 +121,13 @@ build_access_request(struct rad_handle * } } } - if (state != NULL && rad_put_attr(radh, RAD_STATE, state, - state_len) == -1) { + if (rhost != NULL && + rad_put_string(radh, RAD_CALLING_STATION_ID, rhost) == -1) { + syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh)); + return (-1); + } + if (state != NULL && + rad_put_attr(radh, RAD_STATE, state, state_len) == -1) { syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh)); return (-1); } @@ -162,7 +167,7 @@ do_accept(pam_handle_t *pamh, struct rad static int do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user, - const char *nas_id, const char *nas_ipaddr) + const char *nas_id, const char *nas_ipaddr, const char *rhost) { int retval; int attrtype; @@ -230,7 +235,7 @@ do_challenge(pam_handle_t *pamh, struct conv->appdata_ptr)) != PAM_SUCCESS) return (retval); if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id, - nas_ipaddr, state, statelen) == -1) + nas_ipaddr, rhost, state, statelen) == -1) return (PAM_SERVICE_ERR); memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp)); free(resp[num_msgs-1].resp); @@ -246,7 +251,7 @@ pam_sm_authenticate(pam_handle_t *pamh, { struct rad_handle *radh; const char *user, *pass; - const void *tmpuser; + const void *rhost, *tmpuser; const char *conf_file, *template_user, *nas_id, *nas_ipaddr; int retval; int e; @@ -255,6 +260,7 @@ pam_sm_authenticate(pam_handle_t *pamh, template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER); nas_id = openpam_get_option(pamh, PAM_OPT_NAS_ID); nas_ipaddr = openpam_get_option(pamh, PAM_OPT_NAS_IPADDR); + pam_get_item(pamh, PAM_RHOST, &rhost); retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) @@ -284,8 +290,8 @@ pam_sm_authenticate(pam_handle_t *pamh, PAM_LOG("Radius config file read"); - if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, NULL, - 0) == -1) { + if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, rhost, + NULL, 0) == -1) { rad_close(radh); return (PAM_SERVICE_ERR); } @@ -330,7 +336,7 @@ pam_sm_authenticate(pam_handle_t *pamh, case RAD_ACCESS_CHALLENGE: retval = do_challenge(pamh, radh, user, nas_id, - nas_ipaddr); + nas_ipaddr, rhost); if (retval != PAM_SUCCESS) { rad_close(radh); return (retval);