Created attachment 370065 [details]
Patch to include RHOST attribute to PAM if 'REMOTE_HOST' is available in environment.
Description of problem:
I have an environment where a CVS server is exposed to two classes of networks. One of the classes ("external") should use an anonymous, read-only view of the CVS tree, while another class ("internal") should use a per-user verification and a read-write view. It is important to our environment that no modifications can done performed from the external view -- even if the user is in possession of a valid username and password.
This type of verification is available using PAM listfile authentication on its 'rhost' attribute, but the cvs server does not include this attribute (even though the information is readily available as xinetd is exporting the 'REMOTE_HOST' into the environment) in the calls to PAM.
I am attaching a patch to supply the RHOST data to the cvs package in the hopes of not having to manually add the patch and rebuild the cvs package in the future.
I'm running this patch in production, limiting PAM authentication to the hosts listed in /etc/cvswritehosts using the following directive in the /etc/pam.d/cvs file:
auth required pam_listfile.so \
item=rhost sense=allow onerr=fail file=/etc/cvswritehosts
Anonymous access is provided through a no-password entry in the CVS 'passwd' file in CVSROOT.
Version-Release number of selected component (if applicable):
Currently running patched version of 1.11.22-5.
Steps to Reproduce:
PAM listfile item 'rhost' does not work with CVS in pserver mode.
PAM listfile item 'rhost' works with CVS in pserver mode.
Created attachment 484179 [details]
Fix backported from upstream development version
This patch passes PAM_RHOST and PAM_TTY to PAM subsystem. The value is obtained from standard input descriptor.
This way is more generic than former patch relying to environment.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
There is a demand to distinguish clients by network address
by PAM system. However CVS server did not pass client
address to PAM system.
PAM system cannot utilize client address. Thus it's not
possible to use this information for authentication or
authorization purposes (e.g. to serve a CVS repository
read-write for clients from one network and read-only from
Client network address is passed to PAM subsystem as remote
host item (PAM_RHOST). In addition, terminal item (PAM_TTY)
is set to dummy value `cvs' because some PAM modules cannot
work with unset value.
PAM system is aware of CVS client network address now.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.