Local address from PAM module?

[Joe Lewis]

>> This seems to be a matter for the application rather than PAM -
>> certainly that's how I've always implemented such requirements.

Jason is dead on - it will have to be an application thing.  The API
doesn't (and shouldn't) provide something like that, as the intent of PAM
is authentication abstraction, meaning local authentication or whatever. 
Because of that, it is not always possible to load up remote/local socket
information, because it just doesn't exist, and the application that
created the connection isn't passing that socket connection info into PAM.

> Thanks Jason (wow, there's a lot of Jasons)..  This was unfortunately
> the answer I was expecting.  The reason behind the PAM module is so
> that we wouldn't have to modify the code for our various services each
> time we wanted to upgrade them.  However, I suppose adding a couple of
> lines to the code is still a lot better than having to add ~200 lines.

If the application had a mechanism to send the socket into PAM, it would
be possible to do lookups.  One thing you can do is make the users log in
with the entire user.at.hostname, and then have the module just use that. 
It allows you to do a module, without rewriting the service.  If it is a
customized app, then you will need to make sure that hostname connections
come in on the right IP addresses, but odds are, the underlying networking
mechanisms will force that to occur anyway.  Just use the
jason at site.of.many.jasons.org method of usernames, and you may not have to
alter your application.

Joe (not Jason) Lewis