Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Jan 2015 09:07:31 +0000 (UTC)
From:      Dag-Erling Smørgrav <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r277237 - head/lib/libpam/modules/pam_radius
Message-ID:  <201501160907.t0G97Vo8039560@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Fri Jan 16 09:07:31 2015
New Revision: 277237
URL: https://svnweb.freebsd.org/changeset/base/277237

Log:
  If PAM_RHOST is non-NULL, pass it in the Calling-Station-ID attribute of
  the RADIUS access request.
  
  MFC after:	1 week

Modified:
  head/lib/libpam/modules/pam_radius/pam_radius.c

Modified: head/lib/libpam/modules/pam_radius/pam_radius.c
==============================================================================
--- head/lib/libpam/modules/pam_radius/pam_radius.c	Fri Jan 16 07:06:58 2015	(r277236)
+++ head/lib/libpam/modules/pam_radius/pam_radius.c	Fri Jan 16 09:07:31 2015	(r277237)
@@ -62,11 +62,11 @@ __FBSDID("$FreeBSD$");
 #define	PASSWORD_PROMPT		"RADIUS Password:"
 
 static int	 build_access_request(struct rad_handle *, const char *,
-		    const char *, const char *, const char *, const void *,
-		    size_t);
+		    const char *, const char *, const char *, const char *,
+		    const void *, size_t);
 static int	 do_accept(pam_handle_t *, struct rad_handle *);
 static int	 do_challenge(pam_handle_t *, struct rad_handle *,
-		    const char *, const char *, const char *);
+		    const char *, const char *, const char *, const char *);
 
 /*
  * Construct an access request, but don't send it.  Returns 0 on success,
@@ -75,7 +75,7 @@ static int	 do_challenge(pam_handle_t *,
 static int
 build_access_request(struct rad_handle *radh, const char *user,
     const char *pass, const char *nas_id, const char *nas_ipaddr,
-    const void *state, size_t state_len)
+    const char *rhost, const void *state, size_t state_len)
 {
 	int error;
 	char host[MAXHOSTNAMELEN];
@@ -121,8 +121,13 @@ build_access_request(struct rad_handle *
 			}
 		}
 	}
-	if (state != NULL && rad_put_attr(radh, RAD_STATE, state,
-	    state_len) == -1) {
+	if (rhost != NULL &&
+	    rad_put_string(radh, RAD_CALLING_STATION_ID, rhost) == -1) {
+		syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
+		return (-1);
+	}
+	if (state != NULL &&
+	    rad_put_attr(radh, RAD_STATE, state, state_len) == -1) {
 		syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
 		return (-1);
 	}
@@ -162,7 +167,7 @@ do_accept(pam_handle_t *pamh, struct rad
 
 static int
 do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user,
-    const char *nas_id, const char *nas_ipaddr)
+    const char *nas_id, const char *nas_ipaddr, const char *rhost)
 {
 	int retval;
 	int attrtype;
@@ -230,7 +235,7 @@ do_challenge(pam_handle_t *pamh, struct 
 	    conv->appdata_ptr)) != PAM_SUCCESS)
 		return (retval);
 	if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id,
-	    nas_ipaddr, state, statelen) == -1)
+	    nas_ipaddr, rhost, state, statelen) == -1)
 		return (PAM_SERVICE_ERR);
 	memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
 	free(resp[num_msgs-1].resp);
@@ -246,7 +251,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 {
 	struct rad_handle *radh;
 	const char *user, *pass;
-	const void *tmpuser;
+	const void *rhost, *tmpuser;
 	const char *conf_file, *template_user, *nas_id, *nas_ipaddr;
 	int retval;
 	int e;
@@ -255,6 +260,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER);
 	nas_id = openpam_get_option(pamh, PAM_OPT_NAS_ID);
 	nas_ipaddr = openpam_get_option(pamh, PAM_OPT_NAS_IPADDR);
+	pam_get_item(pamh, PAM_RHOST, &rhost);
 
 	retval = pam_get_user(pamh, &user, NULL);
 	if (retval != PAM_SUCCESS)
@@ -284,8 +290,8 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
 	PAM_LOG("Radius config file read");
 
-	if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, NULL,
-	    0) == -1) {
+	if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, rhost,
+	    NULL, 0) == -1) {
 		rad_close(radh);
 		return (PAM_SERVICE_ERR);
 	}
@@ -330,7 +336,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
 		case RAD_ACCESS_CHALLENGE:
 			retval = do_challenge(pamh, radh, user, nas_id,
-			    nas_ipaddr);
+			    nas_ipaddr, rhost);
 			if (retval != PAM_SUCCESS) {
 				rad_close(radh);
 				return (retval);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501160907.t0G97Vo8039560>