[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

saslauthd SASL_IPREMOTEPORT -> PAM_RHOST



Since I've seen some other people requesting the functionality [*], I think
someone could like getting a courtesy copy of a bugzilla entry I've just
filed on bugzilla.cyrusimap.org:

http://bugzilla.cyrusimap.org/bugzilla3/show_bug.cgi?id=3468

I'm attaching both a 2.1.23 and a 2.1.24 version of the patch, since there is a merge conflict between the former and 2.1.24 sources.

I'd be grateful about any comment - review - test which could help with upstreaming my patch.

Please keep in mind that I'm unable to test on a solaris box; therefore,
the ipc_doors changes should be treated as VERY SUSPECT; still, I think they make sense, and would be twice as grateful to any solaris tester...

Thank you very much, yours

	lorenzo

[*] In particular, a google search lead to the following pages:

http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-March/002218.html
     "saslauthd/PAM IP logging on failure"   - 2011-03-26

https://bugzilla.redhat.com/show_bug.cgi?id=683797
     "saslauthd using pam does not log rhost (remote host) IP/hostname
          or requested login in /var/log/secure" - 2011-03-10

http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html
     "PAM authentication - Remote host"      - 2010-07-13

http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-May/002085.html
     "remote client ip"                      - 2010-05-24

diff -ru cyrus-sasl-2.1.24.orig/lib/checkpw.c cyrus-sasl-2.1.24/lib/checkpw.c
--- cyrus-sasl-2.1.24.orig/lib/checkpw.c	2009-08-13 14:36:42.000000000 +0200
+++ cyrus-sasl-2.1.24/lib/checkpw.c	2011-05-22 12:39:05.000000000 +0200
@@ -654,6 +654,8 @@
     char pwpath[sizeof(srvaddr.sun_path)];
     const char *p = NULL;
     char *freeme = NULL;
+    char *freemetoo = NULL;
+    const char *client_addr = NULL;
 #ifdef USE_DOORS
     door_arg_t arg;
 #endif
@@ -685,13 +687,19 @@
 	user_realm = rtmp + 1;
     }
 
+    if (sasl_getprop(conn, SASL_IPREMOTEPORT, (const void **) & client_addr) == SASL_OK) {
+	if(_sasl_strdup(client_addr, &freemetoo, NULL) != SASL_OK)
+	    goto fail;
+	client_addr = freemetoo;
+    }
+
     /*
      * build request of the form:
      *
-     * count authid count password count service count realm
+     * count authid count password count service count realm client
      */
     {
- 	unsigned short max_len, req_len, u_len, p_len, s_len, r_len;
+ 	unsigned short max_len, req_len, u_len, p_len, s_len, r_len, c_len;
  
 	max_len = (unsigned short) sizeof(query);
 
@@ -699,7 +707,8 @@
 	if ((strlen(userid) > USHRT_MAX) ||
 	    (strlen(passwd) > USHRT_MAX) ||
 	    (strlen(service) > USHRT_MAX) ||
-	    (user_realm && (strlen(user_realm) > USHRT_MAX))) {
+	    (user_realm && (strlen(user_realm) > USHRT_MAX))
+	    (client_addr && (strlen(client_addr) > USHRT_MAX))) {
 	    goto toobig;
 	}
 
@@ -707,6 +716,7 @@
  	p_len = (strlen(passwd));
 	s_len = (strlen(service));
 	r_len = ((user_realm ? strlen(user_realm) : 0));
+	c_len = ((client_addr ? strlen(client_addr): 0));
 
 	/* prevent buffer overflow */
 	req_len = 30;
@@ -717,11 +727,14 @@
 	if (max_len - req_len < s_len) goto toobig;
 	req_len += s_len;
 	if (max_len - req_len < r_len) goto toobig;
+	req_len += r_len;
+	if (max_len - req_len < c_len) goto toobig;
 
 	u_len = htons(u_len);
 	p_len = htons(p_len);
 	s_len = htons(s_len);
 	r_len = htons(r_len);
+	c_len = htons(c_len);
 
 	memcpy(query_end, &u_len, sizeof(unsigned short));
 	query_end += sizeof(unsigned short);
@@ -738,6 +751,10 @@
 	memcpy(query_end, &r_len, sizeof(unsigned short));
 	query_end += sizeof(unsigned short);
 	if (user_realm) while (*user_realm) *query_end++ = *user_realm++;
+
+	memcpy(query_end, &c_len, sizeof(unsigned short));
+	query_end += sizeof(unsigned short);
+	if(client_addr) while (*client_addr) *query_end++ = *client_addr++;
     }
 
 #ifdef USE_DOORS
@@ -838,7 +855,8 @@
     close(s);
 #endif /* USE_DOORS */
   
-    if(freeme) free(freeme);
+    if (freeme) free(freeme);
+    if (freemetoo) free(freemetoo);
 
     if (!strncmp(response, "OK", 2)) {
 	return SASL_OK;
@@ -853,6 +871,7 @@
 
  fail:
     if (freeme) free(freeme);
+    if (freemetoo) free(freemetoo);
     return SASL_FAIL;
 }
 
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.c cyrus-sasl-2.1.24/saslauthd/auth_dce.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.c	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_dce.c	2011-05-22 12:24:47.000000000 +0200
@@ -56,7 +56,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote
   /* END PARAMETERS */
   )
 {
@@ -104,7 +105,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
      return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.h cyrus-sasl-2.1.24/saslauthd/auth_dce.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_dce.h	2011-05-22 12:24:47.000000000 +0200
@@ -26,4 +26,4 @@
  * END COPYRIGHT
  */
 
-char *auth_dce(const char *, const char *, const char *, const char *);
+char *auth_dce(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.c cyrus-sasl-2.1.24/saslauthd/auth_getpwent.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.c	2009-05-07 17:21:15.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_getpwent.c	2011-05-22 12:24:47.000000000 +0200
@@ -67,7 +67,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.h cyrus-sasl-2.1.24/saslauthd/auth_getpwent.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_getpwent.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_getpwent(const char *, const char *, const char *, const char *);
+char *auth_getpwent(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.c cyrus-sasl-2.1.24/saslauthd/auth_httpform.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.c	2006-04-19 21:51:04.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_httpform.c	2011-05-22 12:24:47.000000000 +0200
@@ -463,7 +463,8 @@
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm
+  const char *realm,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.h cyrus-sasl-2.1.24/saslauthd/auth_httpform.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.h	2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_httpform.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_httpform(const char *, const char *, const char *, const char *);
+char *auth_httpform(const char *, const char *, const char *, const char *, const char *);
 int auth_httpform_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.c cyrus-sasl-2.1.24/saslauthd/auth_krb4.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.c	2005-02-01 13:26:34.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb4.c	2011-05-22 12:24:47.000000000 +0200
@@ -171,7 +171,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm_in
+  const char *realm_in,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -282,7 +283,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.h cyrus-sasl-2.1.24/saslauthd/auth_krb4.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb4.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_krb4(const char *, const char *, const char *, const char *);
+char *auth_krb4(const char *, const char *, const char *, const char *, const char *);
 int auth_krb4_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.c cyrus-sasl-2.1.24/saslauthd/auth_krb5.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.c	2009-05-07 17:21:15.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb5.c	2011-05-22 12:24:47.000000000 +0200
@@ -172,7 +172,8 @@
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,                  /* I: service authenticating to */
-  const char *realm                     /* I: user's realm */
+  const char *realm,                    /* I: user's realm */
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -356,7 +357,8 @@
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,			/* I: service authenticating to */
-  const char *realm			/* I: user's realm */
+  const char *realm,			/* I: user's realm */
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -464,7 +466,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.h cyrus-sasl-2.1.24/saslauthd/auth_krb5.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.h	2002-04-25 20:31:38.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb5.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_krb5(const char *, const char *, const char *, const char *);
+char *auth_krb5(const char *, const char *, const char *, const char *, const char *);
 int auth_krb5_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.c cyrus-sasl-2.1.24/saslauthd/auth_ldap.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.c	2004-12-08 13:12:27.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_ldap.c	2011-05-22 12:24:47.000000000 +0200
@@ -60,7 +60,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm
+  const char *realm,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -116,7 +117,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
      return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.h cyrus-sasl-2.1.24/saslauthd/auth_ldap.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.h	2002-06-19 19:35:29.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_ldap.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_ldap(const char *, const char *, const char *, const char *);
+char *auth_ldap(const char *, const char *, const char *, const char *, const char *);
 int auth_ldap_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.c cyrus-sasl-2.1.24/saslauthd/auth_pam.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.c	2005-05-15 08:43:19.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_pam.c	2011-05-22 12:24:47.000000000 +0200
@@ -186,7 +186,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,			/* I: service name */
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -213,6 +214,14 @@
 
     my_appdata.pamh = pamh;
 
+    char * remote_host = strdup(remote);
+    if (remote_host) {
+	char * semicol = strchr(remote_host, ';');
+	if (semicol) * semicol = NULL; /* truncate remote_host at the ';' port separator */
+	pam_set_item(pamh, PAM_RHOST, remote_host);
+	free (remote_host);
+    }
+
     rc = pam_authenticate(pamh, PAM_SILENT);
     if (rc != PAM_SUCCESS) {
 	syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_authenticate failed: %s",
@@ -242,7 +251,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.h cyrus-sasl-2.1.24/saslauthd/auth_pam.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_pam.h	2011-05-22 12:24:47.000000000 +0200
@@ -32,4 +32,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_pam(const char *, const char *, const char *, const char *);
+char *auth_pam(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.c cyrus-sasl-2.1.24/saslauthd/auth_rimap.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.c	2009-05-07 17:21:15.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_rimap.c	2011-05-22 12:24:47.000000000 +0200
@@ -298,7 +298,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.h cyrus-sasl-2.1.24/saslauthd/auth_rimap.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_rimap.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_rimap(const char *, const char *, const char *, const char *);
+char *auth_rimap(const char *, const char *, const char *, const char *, const char *);
 int auth_rimap_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.c cyrus-sasl-2.1.24/saslauthd/auth_sasldb.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.c	2009-05-07 17:21:16.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_sasldb.c	2011-05-22 12:24:47.000000000 +0200
@@ -118,13 +118,14 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm
+  const char *realm,
 #else
   const char *login __attribute__((unused)),/* I: plaintext authenticator */
   const char *password __attribute__((unused)),  /* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
 #endif
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.h cyrus-sasl-2.1.24/saslauthd/auth_sasldb.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.h	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_sasldb.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_sasldb(const char *, const char *, const char *, const char *);
+char *auth_sasldb(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.c cyrus-sasl-2.1.24/saslauthd/auth_shadow.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.c	2009-08-14 17:41:36.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_shadow.c	2011-05-22 12:24:47.000000000 +0200
@@ -86,7 +86,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -280,7 +281,8 @@
   const char *login __attribute__((unused)),
   const char *passwd __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.h cyrus-sasl-2.1.24/saslauthd/auth_shadow.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.h	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_shadow.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_shadow(const char *, const char *, const char *, const char *);
+char *auth_shadow(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.c cyrus-sasl-2.1.24/saslauthd/auth_sia.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.c	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_sia.c	2011-05-22 12:24:47.000000000 +0200
@@ -56,7 +56,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -84,7 +85,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.h cyrus-sasl-2.1.24/saslauthd/auth_sia.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.h	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_sia.h	2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_sia(const char *, const char *, const char *, const char *);
+char *auth_sia(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/ipc_doors.c cyrus-sasl-2.1.24/saslauthd/ipc_doors.c
--- cyrus-sasl-2.1.24.orig/saslauthd/ipc_doors.c	2004-04-27 18:01:50.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/ipc_doors.c	2011-05-22 12:24:47.000000000 +0200
@@ -218,6 +218,7 @@
 	char			password[MAX_REQ_LEN + 1]; /* password for authentication            */
 	char			service[MAX_REQ_LEN + 1];  /* service name for authentication        */
 	char			realm[MAX_REQ_LEN + 1];    /* user realm for authentication          */
+	char			client_addr[MAX_REQ_LEN + 1];  /* client address and port            */
 
 
 	/**************************************************************
@@ -294,6 +295,22 @@
 	memcpy(realm, data, count);
 	realm[count] = '\0';
 
+	/* client_addr */
+	memcpy(&count, data, sizeof(unsigned short));
+
+	count = ntohs(count);
+	data += sizeof(unsigned short);
+
+	if (count > MAX_REQ_LEN || data + count > dataend) {
+		logger(L_ERR, L_FUNC, "client_addr exceeds MAX_REQ_LEN: %d",
+		       MAX_REQ_LEN);
+		send_no("");
+		return;
+	}	
+
+	memcpy(client_addr, data, count);
+	client_addr[count] = '\0';
+
 	/**************************************************************
  	 * We don't allow NULL passwords or login names
 	 **************************************************************/
@@ -312,7 +329,7 @@
 	/**************************************************************
 	 * Get the mechanism response from do_auth() and send it back.
 	 **************************************************************/
-	response = do_auth(login, password, service, realm);
+	response = do_auth(login, password, service, realm, client_addr);
 
 	memset(password, 0, strlen(password));
 
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/ipc_unix.c cyrus-sasl-2.1.24/saslauthd/ipc_unix.c
--- cyrus-sasl-2.1.24.orig/saslauthd/ipc_unix.c	2003-10-30 20:06:42.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/ipc_unix.c	2011-05-22 12:24:47.000000000 +0200
@@ -329,6 +329,7 @@
 	char			password[MAX_REQ_LEN + 1]; /* password for authentication            */
 	char			service[MAX_REQ_LEN + 1];  /* service name for authentication        */
 	char			realm[MAX_REQ_LEN + 1];    /* user realm for authentication          */
+	char			client_addr[MAX_REQ_LEN + 1];  /* client address and port            */
 
 
 	/**************************************************************
@@ -399,12 +400,28 @@
 		send_no(conn_fd, "");
 		return;
 	}	
-
 	if (rx_rec(conn_fd, (void *)realm, (size_t)count) != (ssize_t)count) 
 		return;
 
 	realm[count] = '\0';
 
+	/* client_addr */
+	if (rx_rec(conn_fd, (void *)&count, (size_t)sizeof(count)) != (ssize_t)sizeof(count))
+		return;
+
+	count = ntohs(count);
+
+	if (count > MAX_REQ_LEN) {
+		logger(L_ERR, L_FUNC, "client address exceeded MAX_REQ_LEN: %d", MAX_REQ_LEN);
+		send_no(conn_fd, "");
+		return;
+	}
+
+	if (rx_rec(conn_fd, (void *)&client_addr, (size_t)count) != (ssize_t)count)
+		return;
+
+	client_addr[count] = '\0';
+
 	/**************************************************************
  	 * We don't allow NULL passwords or login names
 	 **************************************************************/
@@ -423,7 +440,7 @@
 	/**************************************************************
 	 * Get the mechanism response from do_auth() and send it back.
 	 **************************************************************/
-	response = do_auth(login, password, service, realm);
+	response = do_auth(login, password, service, realm, client_addr);
 
 	memset(password, 0, strlen(password));
 
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/mechanisms.h cyrus-sasl-2.1.24/saslauthd/mechanisms.h
--- cyrus-sasl-2.1.24.orig/saslauthd/mechanisms.h	2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/mechanisms.h	2011-05-22 12:24:47.000000000 +0200
@@ -40,8 +40,8 @@
     char *name;				/* name of the mechanism */
     int (*initialize)(void);		/* initialization function */
     char *(*authenticate)(const char *, const char *,
-			  const char *, const char *); /* authentication
-							  function */
+			  const char *, const char *,
+			  const char *); /* authentication function */
 } authmech_t;
 
 extern authmech_t mechanisms[];		/* array of supported auth mechs */
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.c cyrus-sasl-2.1.24/saslauthd/saslauthd-main.c
--- cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.c	2009-05-07 17:21:16.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/saslauthd-main.c	2011-05-22 12:24:47.000000000 +0200
@@ -378,7 +378,7 @@
  * return a pointer to a string to send back to the client.
  * The caller is responsible for freeing the pointer. 
  **************************************************************/
-char *do_auth(const char *_login, const char *password, const char *service, const char *realm) {
+char *do_auth(const char *_login, const char *password, const char *service, const char *realm, const char *remote) {
 
 	struct cache_result	lkup_result;
 	char			*response;
@@ -407,7 +407,7 @@
 		response = strdup("OK");
 		cached = 1;
 	} else {
-		response = auth_mech->authenticate(login, password, service, realm);
+		response = auth_mech->authenticate(login, password, service, realm, remote);
 
 		if (response == NULL) {
 			logger(L_ERR, L_FUNC, "internal mechanism failure: %s", auth_mech->name);
@@ -420,18 +420,18 @@
 
 		if (flags & VERBOSE) {
 			if (cached) 
-				logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s]", \
-					login, service, realm);
+				logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s] [remote=%s]", \
+					login, service, realm, remote);
 			else
-				logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [mech=%s]", \
-					login, service, realm, auth_mech->name);
+				logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s]", \
+					login, service, realm, remote, auth_mech->name);
 		}
 		return response;
 	}
 
 	if (strncmp(response, "NO", 2) == 0) {
-		logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [mech=%s] [reason=%s]", \
-			login, service, realm, auth_mech->name,
+		logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s] [reason=%s]", \
+			login, service, realm, remote, auth_mech->name,
 		        strlen(response) >= 4 ? response+3 : "Unknown");
 
 		return response;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.h cyrus-sasl-2.1.24/saslauthd/saslauthd-main.h
--- cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.h	2003-05-16 00:21:41.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/saslauthd-main.h	2011-05-22 12:24:47.000000000 +0200
@@ -88,7 +88,8 @@
 
 /* saslauthd-main.c */
 extern char	*do_auth(const char *, const char *,
-			 const char *, const char *);
+			 const char *, const char *,
+			 const char *);
 extern void	set_auth_mech(const char *);
 extern void	set_max_procs(const char *);
 extern void	set_mech_option(const char *);

#! /bin/sh /usr/share/dpatch/dpatch-run
## 0024_saslauthd_pam_rhost.dpatch by  <root@xxxxxxxxxxxxxxxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/lib/checkpw.c cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c
--- cyrus-sasl2-2.1.23.dfsg1~/lib/checkpw.c	2009-04-28 17:09:15.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c	2011-05-22 11:09:35.000000000 +0200
@@ -553,6 +553,8 @@
     char pwpath[sizeof(srvaddr.sun_path)];
     const char *p = NULL;
     char *freeme = NULL;
+    char *freemetoo = NULL;
+    const char *client_addr = NULL;
 #ifdef USE_DOORS
     door_arg_t arg;
 #endif
@@ -584,20 +586,27 @@
 	user_realm = rtmp + 1;
     }
 
+    if (sasl_getprop(conn, SASL_IPREMOTEPORT, (const void **) & client_addr) == SASL_OK) {
+        if(_sasl_strdup(client_addr, &freemetoo, NULL) != SASL_OK)
+            goto fail;
+        client_addr = freemetoo;
+    }
+
     /*
      * build request of the form:
      *
-     * count authid count password count service count realm
+     * count authid count password count service count realm count client
      */
     {
- 	unsigned short u_len, p_len, s_len, r_len;
+ 	unsigned short u_len, p_len, s_len, r_len, c_len;
  
  	u_len = (strlen(userid));
  	p_len = (strlen(passwd));
 	s_len = (strlen(service));
 	r_len = ((user_realm ? strlen(user_realm) : 0));
+	c_len = ((client_addr ? strlen(client_addr): 0));
 
-	if (u_len + p_len + s_len + r_len + 30 > (unsigned short) sizeof(query)) {
+	if (u_len + p_len + s_len + r_len + c_len + 30 > (unsigned short) sizeof(query)) {
 	    /* request just too damn big */
             sasl_seterror(conn, 0, "saslauthd request too large");
 	    goto fail;
@@ -607,6 +616,7 @@
 	p_len = htons(p_len);
 	s_len = htons(s_len);
 	r_len = htons(r_len);
+	c_len = htons(c_len);
 
 	memcpy(query_end, &u_len, sizeof(unsigned short));
 	query_end += sizeof(unsigned short);
@@ -623,6 +633,11 @@
 	memcpy(query_end, &r_len, sizeof(unsigned short));
 	query_end += sizeof(unsigned short);
 	if (user_realm) while (*user_realm) *query_end++ = *user_realm++;
+
+	memcpy(query_end, &c_len, sizeof(unsigned short));
+	query_end += sizeof(unsigned short);
+	if(client_addr) while (*client_addr) *query_end++ = *client_addr++;
+
     }
 
 #ifdef USE_DOORS
@@ -723,7 +738,8 @@
     close(s);
 #endif /* USE_DOORS */
   
-    if(freeme) free(freeme);
+    if (freeme) free(freeme);
+    if (freemetoo) free(freemetoo);
 
     if (!strncmp(response, "OK", 2)) {
 	return SASL_OK;
@@ -734,6 +750,7 @@
 
  fail:
     if (freeme) free(freeme);
+    if (freemetoo) free(freemetoo);
     return SASL_FAIL;
 }
 
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.c	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.c	2011-05-22 11:09:35.000000000 +0200
@@ -56,7 +56,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote
   /* END PARAMETERS */
   )
 {
@@ -104,7 +105,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
      return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.h	2011-05-22 11:09:35.000000000 +0200
@@ -26,4 +26,4 @@
  * END COPYRIGHT
  */
 
-char *auth_dce(const char *, const char *, const char *, const char *);
+char *auth_dce(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.c	2009-04-28 17:09:18.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.c	2011-05-22 11:09:35.000000000 +0200
@@ -64,7 +64,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_getpwent(const char *, const char *, const char *, const char *);
+char *auth_getpwent(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.c	2006-04-19 21:51:04.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.c	2011-05-22 11:09:35.000000000 +0200
@@ -463,7 +463,8 @@
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm
+  const char *realm,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.h	2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_httpform(const char *, const char *, const char *, const char *);
+char *auth_httpform(const char *, const char *, const char *, const char *, const char *);
 int auth_httpform_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.c	2005-02-01 13:26:34.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.c	2011-05-22 11:09:35.000000000 +0200
@@ -171,7 +171,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm_in
+  const char *realm_in,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -282,7 +283,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_krb4(const char *, const char *, const char *, const char *);
+char *auth_krb4(const char *, const char *, const char *, const char *, const char *);
 int auth_krb4_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.c	2009-04-28 17:09:18.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.c	2011-05-22 11:09:35.000000000 +0200
@@ -172,7 +172,8 @@
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,                  /* I: service authenticating to */
-  const char *realm                     /* I: user's realm */
+  const char *realm,                    /* I: user's realm */
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -340,7 +341,8 @@
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,			/* I: service authenticating to */
-  const char *realm			/* I: user's realm */
+  const char *realm,			/* I: user's realm */
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -448,7 +450,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.h	2002-04-25 20:31:38.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_krb5(const char *, const char *, const char *, const char *);
+char *auth_krb5(const char *, const char *, const char *, const char *, const char *);
 int auth_krb5_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.c	2004-12-08 13:12:27.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.c	2011-05-22 11:09:35.000000000 +0200
@@ -60,7 +60,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm
+  const char *realm,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -116,7 +117,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
      return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.h	2002-06-19 19:35:29.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_ldap(const char *, const char *, const char *, const char *);
+char *auth_ldap(const char *, const char *, const char *, const char *, const char *);
 int auth_ldap_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.c	2005-05-15 08:43:19.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.c	2011-05-22 11:09:35.000000000 +0200
@@ -186,7 +186,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,			/* I: service name */
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -213,6 +214,14 @@
 
     my_appdata.pamh = pamh;
 
+    char * remote_host = strdup(remote);
+    if (remote_host) {
+	char * semicol = strchr(remote_host, ';');
+	if (semicol) * semicol = NULL; /* truncate remote_host at the ';' port separator */
+	pam_set_item(pamh, PAM_RHOST, remote_host);
+	free (remote_host);
+    }
+
     rc = pam_authenticate(pamh, PAM_SILENT);
     if (rc != PAM_SUCCESS) {
 	syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_authenticate failed: %s",
@@ -242,7 +251,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.h	2011-05-22 11:09:35.000000000 +0200
@@ -32,4 +32,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_pam(const char *, const char *, const char *, const char *);
+char *auth_pam(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.c	2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.c	2011-05-22 11:09:35.000000000 +0200
@@ -298,7 +298,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.h	2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_rimap(const char *, const char *, const char *, const char *);
+char *auth_rimap(const char *, const char *, const char *, const char *, const char *);
 int auth_rimap_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.c	2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.c	2011-05-22 11:09:35.000000000 +0200
@@ -118,13 +118,14 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm
+  const char *realm,
 #else
   const char *login __attribute__((unused)),/* I: plaintext authenticator */
   const char *password __attribute__((unused)),  /* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
 #endif
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.h	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_sasldb(const char *, const char *, const char *, const char *);
+char *auth_sasldb(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.c	2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.c	2011-05-22 11:09:35.000000000 +0200
@@ -82,7 +82,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -276,7 +277,8 @@
   const char *login __attribute__((unused)),
   const char *passwd __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.h	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_shadow(const char *, const char *, const char *, const char *);
+char *auth_shadow(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.c	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.c	2011-05-22 11:09:35.000000000 +0200
@@ -56,7 +56,8 @@
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -84,7 +85,8 @@
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.h	2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.h	2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_sia(const char *, const char *, const char *, const char *);
+char *auth_sia(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_doors.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_doors.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_doors.c	2004-04-27 18:01:50.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_doors.c	2011-05-22 11:09:35.000000000 +0200
@@ -218,6 +218,7 @@
 	char			password[MAX_REQ_LEN + 1]; /* password for authentication            */
 	char			service[MAX_REQ_LEN + 1];  /* service name for authentication        */
 	char			realm[MAX_REQ_LEN + 1];    /* user realm for authentication          */
+	char			client_addr[MAX_REQ_LEN + 1];  /* client address and port            */
 
 
 	/**************************************************************
@@ -294,6 +295,22 @@
 	memcpy(realm, data, count);
 	realm[count] = '\0';
 
+	/* client_addr */
+	memcpy(&count, data, sizeof(unsigned short));
+
+	count = ntohs(count);
+	data += sizeof(unsigned short);
+
+	if (count > MAX_REQ_LEN || data + count > dataend) {
+		logger(L_ERR, L_FUNC, "client_addr exceeds MAX_REQ_LEN: %d",
+		       MAX_REQ_LEN);
+		send_no("");
+		return;
+	}	
+
+	memcpy(client_addr, data, count);
+	client_addr[count] = '\0';
+
 	/**************************************************************
  	 * We don't allow NULL passwords or login names
 	 **************************************************************/
@@ -312,7 +329,7 @@
 	/**************************************************************
 	 * Get the mechanism response from do_auth() and send it back.
 	 **************************************************************/
-	response = do_auth(login, password, service, realm);
+	response = do_auth(login, password, service, realm, client_addr);
 
 	memset(password, 0, strlen(password));
 
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_unix.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_unix.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_unix.c	2003-10-30 20:06:42.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_unix.c	2011-05-22 11:09:35.000000000 +0200
@@ -329,6 +329,7 @@
 	char			password[MAX_REQ_LEN + 1]; /* password for authentication            */
 	char			service[MAX_REQ_LEN + 1];  /* service name for authentication        */
 	char			realm[MAX_REQ_LEN + 1];    /* user realm for authentication          */
+	char			client_addr[MAX_REQ_LEN + 1];  /* client address and port            */
 
 
 	/**************************************************************
@@ -399,12 +400,28 @@
 		send_no(conn_fd, "");
 		return;
 	}	
-
 	if (rx_rec(conn_fd, (void *)realm, (size_t)count) != (ssize_t)count) 
 		return;
 
 	realm[count] = '\0';
 
+	/* client_addr */
+	if (rx_rec(conn_fd, (void *)&count, (size_t)sizeof(count)) != (ssize_t)sizeof(count))
+		return;
+
+	count = ntohs(count);
+
+	if (count > MAX_REQ_LEN) {
+		logger(L_ERR, L_FUNC, "client address exceeded MAX_REQ_LEN: %d", MAX_REQ_LEN);
+		send_no(conn_fd, "");
+		return;
+	}
+
+	if (rx_rec(conn_fd, (void *)&client_addr, (size_t)count) != (ssize_t)count)
+		return;
+
+	client_addr[count] = '\0';
+
 	/**************************************************************
  	 * We don't allow NULL passwords or login names
 	 **************************************************************/
@@ -423,7 +440,7 @@
 	/**************************************************************
 	 * Get the mechanism response from do_auth() and send it back.
 	 **************************************************************/
-	response = do_auth(login, password, service, realm);
+	response = do_auth(login, password, service, realm, client_addr);
 
 	memset(password, 0, strlen(password));
 
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/mechanisms.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/mechanisms.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/mechanisms.h	2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/mechanisms.h	2011-05-22 11:09:35.000000000 +0200
@@ -40,8 +40,8 @@
     char *name;				/* name of the mechanism */
     int (*initialize)(void);		/* initialization function */
     char *(*authenticate)(const char *, const char *,
-			  const char *, const char *); /* authentication
-							  function */
+			  const char *, const char *,
+			  const char *); /* authentication function */
 } authmech_t;
 
 extern authmech_t mechanisms[];		/* array of supported auth mechs */
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.c	2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.c	2011-05-22 11:09:35.000000000 +0200
@@ -367,7 +367,7 @@
  * return a pointer to a string to send back to the client.
  * The caller is responsible for freeing the pointer. 
  **************************************************************/
-char *do_auth(const char *_login, const char *password, const char *service, const char *realm) {
+char *do_auth(const char *_login, const char *password, const char *service, const char *realm, const char *remote) {
 
 	struct cache_result	lkup_result;
 	char			*response;
@@ -396,7 +396,7 @@
 		response = strdup("OK");
 		cached = 1;
 	} else {
-		response = auth_mech->authenticate(login, password, service, realm);
+		response = auth_mech->authenticate(login, password, service, realm, remote);
 
 		if (response == NULL) {
 			logger(L_ERR, L_FUNC, "internal mechanism failure: %s", auth_mech->name);
@@ -409,18 +409,18 @@
 
 		if (flags & VERBOSE) {
 			if (cached) 
-				logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s]", \
-					login, service, realm);
+				logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s] [remote=%s]", \
+					login, service, realm, remote);
 			else
-				logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [mech=%s]", \
-					login, service, realm, auth_mech->name);
+				logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s]", \
+					login, service, realm, remote, auth_mech->name);
 		}
 		return response;
 	}
 
 	if (strncmp(response, "NO", 2) == 0) {
-		logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [mech=%s] [reason=%s]", \
-			login, service, realm, auth_mech->name,
+		logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s] [reason=%s]", \
+			login, service, realm, remote, auth_mech->name,
 		        strlen(response) >= 4 ? response+3 : "Unknown");
 
 		return response;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.h	2003-05-16 00:21:41.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.h	2011-05-22 11:09:35.000000000 +0200
@@ -88,7 +88,8 @@
 
 /* saslauthd-main.c */
 extern char	*do_auth(const char *, const char *,
-			 const char *, const char *);
+			 const char *, const char *,
+			 const char *);
 extern void	set_auth_mech(const char *);
 extern void	set_max_procs(const char *);
 extern void	set_mech_option(const char *);


[Video For Linux]     [Photos]     [Yosemite News]    [Yosemite Photos]     [gtk]     [KDE]     [Info Cyrus]     [Gimp on Windows]     [Steve's Art]     [Script Fu]

Powered by Linux