Created attachment 370065 [details] Patch to include RHOST attribute to PAM if 'REMOTE_HOST' is available in environment. Description of problem: I have an environment where a CVS server is exposed to two classes of networks. One of the classes ("external") should use an anonymous, read-only view of the CVS tree, while another class ("internal") should use a per-user verification and a read-write view. It is important to our environment that no modifications can done performed from the external view -- even if the user is in possession of a valid username and password. This type of verification is available using PAM listfile authentication on its 'rhost' attribute, but the cvs server does not include this attribute (even though the information is readily available as xinetd is exporting the 'REMOTE_HOST' into the environment) in the calls to PAM. I am attaching a patch to supply the RHOST data to the cvs package in the hopes of not having to manually add the patch and rebuild the cvs package in the future. I'm running this patch in production, limiting PAM authentication to the hosts listed in /etc/cvswritehosts using the following directive in the /etc/pam.d/cvs file: --- auth required pam_listfile.so \ item=rhost sense=allow onerr=fail file=/etc/cvswritehosts --- Anonymous access is provided through a no-password entry in the CVS 'passwd' file in CVSROOT. Version-Release number of selected component (if applicable): Currently running patched version of 1.11.22-5. Steps to Reproduce: N/A Actual results: PAM listfile item 'rhost' does not work with CVS in pserver mode. Expected results: PAM listfile item 'rhost' works with CVS in pserver mode.
Created attachment 484179 [details] Fix backported from upstream development version This patch passes PAM_RHOST and PAM_TTY to PAM subsystem. The value is obtained from standard input descriptor. This way is more generic than former patch relying to environment.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause There is a demand to distinguish clients by network address by PAM system. However CVS server did not pass client address to PAM system. Consequence PAM system cannot utilize client address. Thus it's not possible to use this information for authentication or authorization purposes (e.g. to serve a CVS repository read-write for clients from one network and read-only from other network). Change Client network address is passed to PAM subsystem as remote host item (PAM_RHOST). In addition, terminal item (PAM_TTY) is set to dummy value `cvs' because some PAM modules cannot work with unset value. Result PAM system is aware of CVS client network address now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0253.html