PAM module question

Philip Yarra philip.yarra at internode.on.net
Sun Sep 12 05:52:14 UTC 2004


Hi all, I've been playing around with PAM to try to restrict access to 
services. It seems to me there is no module available to do the following:

1) get the IP address of PAM_RHOST
2) get the IP address for a hostname listed in a file (like pam_listfile)
3) compare them and see if they are the same

The reason for wanting this: the canonical name for an IP address (which is
what seems to end up in PAM_RHOST) is not always the name we will have in our
list (I tried this using pam_listfile and pam_rhost). Two situations where 
this can be an issue:

1) "Example Inc." has a gateway machine (gw.example.com, 192.168.1.88), which 
we want to allow to access a service. However, since the IP range 
192.168.1.1-255 belongs to its ISP, the canonical hostname that is presented 
in PAM_RHOST will be ppp-88.cust.example.net, so "gw.example.com" will not 
match. This situation can be addressed by putting an entry in /etc/hosts, 
provided 192.168.1.88 is a static IP address.

2) "Example Inc." wants to allow access for staff who work remotely. Each 
staff member has a dynamic DNS name (e.g. dyndns.org, no-ip.org) but because 
they are using dynamic IP addresses, the solution to the first problem cannot 
be used (no static IP address to add to /etc/hosts). So host 
example.no-ip.org wants to connect to the service at example.com. PAM_RHOST 
will have a value like "pppxxx-xxx.lns1.mel2.internode.on.net", which will 
not match if I attempt to use "example.no-ip.org" in pam_listfile to 
restrict/allow access.

Please tell me if I'm wrong on this point (I'd prefer to use someone else's
module if there's one that will do the trick). Also let me know if you think 
there's a good reason not to do what I plan to do. I am aware that relying on 
DNS has some inherent issues, however these should not be any worse than the 
same issues with host used for pam_listfile.

I've pretty much finished a module (shamelessly ripped off from pam_listfile) 
to do what I want, so if people think it would be worthwhile I can put a copy 
up.

Regards, Philip.

-------------------------------------------------------





More information about the Pam-list mailing list