1553 pam remote or local detection (#1565)

2025-02-23 12:37:00 +01:00 · 2023-04-24 10:19:28 +10:00 · 2023-04-24 10:19:28 +10:00 · 9286d3780a
parent ec3accf6c3
commit 9286d3780a
2 changed files with 48 additions and 1 deletions
--- a/unix_integration/pam_kanidm/src/pam/mod.rs
+++ b/unix_integration/pam_kanidm/src/pam/mod.rs
@ -91,10 +91,14 @@ impl PamHooks for PamKanidm {
            Err(_) => return PamResultCode::PAM_SERVICE_ERR,
        };

+        let tty = pamh.get_tty();
+        let rhost = pamh.get_rhost();
+
        if opts.debug {
            println!("acct_mgmt");
            println!("args -> {:?}", args);
            println!("opts -> {:?}", opts);
+            println!("tty -> {:?} rhost -> {:?}", tty, rhost);
        }

        let account_id = match pamh.get_user(None) {
@ -165,10 +169,15 @@ impl PamHooks for PamKanidm {
            Err(_) => return PamResultCode::PAM_SERVICE_ERR,
        };

+        // This will == "Ok(Some("ssh"))" on remote auth.
+        let tty = pamh.get_tty();
+        let rhost = pamh.get_rhost();
+
        if opts.debug {
            println!("sm_authenticate");
            println!("args -> {:?}", args);
            println!("opts -> {:?}", opts);
+            println!("tty -> {:?} rhost -> {:?}", tty, rhost);
        }

        let account_id = match pamh.get_user(None) {
--- a/unix_integration/pam_kanidm/src/pam/module.rs
+++ b/unix_integration/pam_kanidm/src/pam/module.rs
@ -5,7 +5,7 @@ use std::{mem, ptr};

 use libc::c_char;

-use crate::pam::constants::{PamFlag, PamItemType, PamResultCode, PAM_AUTHTOK};
+use crate::pam::constants::{PamFlag, PamItemType, PamResultCode, PAM_AUTHTOK, PAM_RHOST, PAM_TTY};

 /// Opaque type, used as a pointer when making pam API calls.
 ///
@ -207,6 +207,44 @@ impl PamHandle {
            Err(res)
        }
    }
+
+    pub fn get_tty(&self) -> PamResult<Option<String>> {
+        let mut ptr: *const PamItemT = ptr::null();
+        let (res, item) = unsafe {
+            let r = pam_get_item(self, PAM_TTY, &mut ptr);
+            let t = if PamResultCode::PAM_SUCCESS == r && !ptr.is_null() {
+                let typed_ptr: *const c_char = ptr as *const c_char;
+                Some(CStr::from_ptr(typed_ptr).to_string_lossy().into_owned())
+            } else {
+                None
+            };
+            (r, t)
+        };
+        if PamResultCode::PAM_SUCCESS == res {
+            Ok(item)
+        } else {
+            Err(res)
+        }
+    }
+
+    pub fn get_rhost(&self) -> PamResult<Option<String>> {
+        let mut ptr: *const PamItemT = ptr::null();
+        let (res, item) = unsafe {
+            let r = pam_get_item(self, PAM_RHOST, &mut ptr);
+            let t = if PamResultCode::PAM_SUCCESS == r && !ptr.is_null() {
+                let typed_ptr: *const c_char = ptr as *const c_char;
+                Some(CStr::from_ptr(typed_ptr).to_string_lossy().into_owned())
+            } else {
+                None
+            };
+            (r, t)
+        };
+        if PamResultCode::PAM_SUCCESS == res {
+            Ok(item)
+        } else {
+            Err(res)
+        }
+    }
 }

 /// Provides functions that are invoked by the entrypoints generated by the