PAM module question
Philip Yarra
philip.yarra at internode.on.net
Sun Sep 12 05:52:14 UTC 2004
Hi all, I've been playing around with PAM to try to restrict access to
services. It seems to me there is no module available to do the following:
1) get the IP address of PAM_RHOST
2) get the IP address for a hostname listed in a file (like pam_listfile)
3) compare them and see if they are the same
The reason for wanting this: the canonical name for an IP address (which is
what seems to end up in PAM_RHOST) is not always the name we will have in our
list (I tried this using pam_listfile and pam_rhost). Two situations where
this can be an issue:
1) "Example Inc." has a gateway machine (gw.example.com, 192.168.1.88), which
we want to allow to access a service. However, since the IP range
192.168.1.1-255 belongs to its ISP, the canonical hostname that is presented
in PAM_RHOST will be ppp-88.cust.example.net, so "gw.example.com" will not
match. This situation can be addressed by putting an entry in /etc/hosts,
provided 192.168.1.88 is a static IP address.
2) "Example Inc." wants to allow access for staff who work remotely. Each
staff member has a dynamic DNS name (e.g. dyndns.org, no-ip.org) but because
they are using dynamic IP addresses, the solution to the first problem cannot
be used (no static IP address to add to /etc/hosts). So host
example.no-ip.org wants to connect to the service at example.com. PAM_RHOST
will have a value like "pppxxx-xxx.lns1.mel2.internode.on.net", which will
not match if I attempt to use "example.no-ip.org" in pam_listfile to
restrict/allow access.
Please tell me if I'm wrong on this point (I'd prefer to use someone else's
module if there's one that will do the trick). Also let me know if you think
there's a good reason not to do what I plan to do. I am aware that relying on
DNS has some inherent issues, however these should not be any worse than the
same issues with host used for pam_listfile.
I've pretty much finished a module (shamelessly ripped off from pam_listfile)
to do what I want, so if people think it would be worthwhile I can put a copy
up.
Regards, Philip.
-------------------------------------------------------
More information about the Pam-list
mailing list