#382 PAM_RHOST and PAM_RUSER not exported to PAM

open
nobody
None
5
2009-09-01
2009-09-01
Anonymous
No

When authenticating with PAM using the account facility, the PAM_RHOST and PAM_RUSER environment variables are not available. PAM_USER and PAM_SERVICE are exported. According to the PAM documentation, PAM_RUSER and PAM_RHOST should be available to the system.

To reproduce (Usermin 1.480)

- Enable PAM authentication
- Add a default /etc/pam.d/usermin file
- Configure /etc/pam.d/usermin to call pam_exec.so, referencing a script
For example:
account required pam_exec.so log=/root/custom_script.log /root/pam_script
@include common-account
@include common-session
@include common-auth
@include common-password
On a Debian system
- Have that script check environment variables.
i.e.:
#!/bin/bash
set | grep PAM

- Check the log file for the state of the environemtn when custom_script was called. PAM_RHOST and PAM_RUSER are not present.

Discussion

  • Jamie Cameron

    Jamie Cameron - 2009-09-01

    Shouldn't the PAM libraries be setting these? Usermin doesn't set PAM_USER or PAM_SERVICE either ..

     
  • Nobody/Anonymous

    I honestly don't know, and I'm no expert with the PAM libraries either. This has only ever happened with Usermin though (and perhaps Webmin, I haven't checked).

    My guess then is that it has something to do with the manner by which the PAM library routines are called.

     
  • Jamie Cameron

    Jamie Cameron - 2009-09-03

    You would really have to ask the pam_exec.so developers about this, as that module presumably sets those variables .. and would have access to the logged-in username.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks