From ea1fcf59e574e9251fb190db25f63f4a6aaa8f3e Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Sun, 3 Nov 2024 10:13:26 +1000
Subject: [PATCH] Resolve incorrect handling of rhost in pam (#3171)

---
 unix_integration/common/src/unix_proto.rs        | 8 ++++++--
 unix_integration/pam_kanidm/src/pam/module.rs    | 2 +-
 unix_integration/resolver/src/bin/kanidm-unix.rs | 2 +-
 unix_integration/resolver/src/resolver.rs        | 2 +-
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/unix_integration/common/src/unix_proto.rs b/unix_integration/common/src/unix_proto.rs
index 1f8dbd779..95ca4035d 100644
--- a/unix_integration/common/src/unix_proto.rs
+++ b/unix_integration/common/src/unix_proto.rs
@@ -107,7 +107,8 @@ pub enum PamAuthRequest {
 pub struct PamServiceInfo {
     pub service: String,
     pub tty: String,
-    pub rhost: String,
+    // Only set if it really is a remote host?
+    pub rhost: Option<String>,
 }
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -144,7 +145,10 @@ impl ClientRequest {
             ClientRequest::NssGroupByName(id) => format!("NssGroupByName({})", id),
             ClientRequest::PamAuthenticateInit { account_id, info } => format!(
                 "PamAuthenticateInit{{ account_id={} tty={} pam_secvice{} rhost={} }}",
-                account_id, info.service, info.tty, info.rhost
+                account_id,
+                info.service,
+                info.tty,
+                info.rhost.as_deref().unwrap_or("")
             ),
             ClientRequest::PamAuthenticateStep(_) => "PamAuthenticateStep".to_string(),
             ClientRequest::PamAccountAllowed(id) => {
diff --git a/unix_integration/pam_kanidm/src/pam/module.rs b/unix_integration/pam_kanidm/src/pam/module.rs
index 95404b6a9..1916a9318 100755
--- a/unix_integration/pam_kanidm/src/pam/module.rs
+++ b/unix_integration/pam_kanidm/src/pam/module.rs
@@ -256,7 +256,7 @@ impl PamHandle {
         tracing::debug!(?maybe_tty, ?maybe_rhost, ?maybe_service);
 
         match (maybe_tty, maybe_rhost, maybe_service) {
-            (Some(tty), Some(rhost), Some(service)) => Ok(PamServiceInfo {
+            (Some(tty), rhost, Some(service)) => Ok(PamServiceInfo {
                 service,
                 tty,
                 rhost,
diff --git a/unix_integration/resolver/src/bin/kanidm-unix.rs b/unix_integration/resolver/src/bin/kanidm-unix.rs
index c134bab48..70621d6ea 100644
--- a/unix_integration/resolver/src/bin/kanidm-unix.rs
+++ b/unix_integration/resolver/src/bin/kanidm-unix.rs
@@ -68,7 +68,7 @@ async fn main() -> ExitCode {
                 info: PamServiceInfo {
                     service: "kanidm-unix".to_string(),
                     tty: "/dev/null".to_string(),
-                    rhost: "localhost".to_string(),
+                    rhost: None,
                 },
             };
             loop {
diff --git a/unix_integration/resolver/src/resolver.rs b/unix_integration/resolver/src/resolver.rs
index d640b87dc..2494055d3 100644
--- a/unix_integration/resolver/src/resolver.rs
+++ b/unix_integration/resolver/src/resolver.rs
@@ -1087,7 +1087,7 @@ impl Resolver {
         let pam_info = PamServiceInfo {
             service: "kanidm-unix-test".to_string(),
             tty: "/dev/null".to_string(),
-            rhost: "localhost".to_string(),
+            rhost: None,
         };
 
         let mut auth_session = match self