Bug 538376 (cvs-pam-rhost) - CVS PAM authentication does not support RHOST item
Summary: CVS PAM authentication does not support RHOST item
Keywords:
Status: CLOSED ERRATA
Alias: cvs-pam-rhost
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cvs
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Pisar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-18 12:29 UTC by Jonas Anden
Modified: 2018-11-28 21:53 UTC (History)
7 users (show)

Fixed In Version: cvs-1.11.22-10.el5
Doc Type: Enhancement
Doc Text:
Cause There is a demand to distinguish clients by network address by PAM system. However CVS server did not pass client address to PAM system. Consequence PAM system cannot utilize client address. Thus it's not possible to use this information for authentication or authorization purposes (e.g. to serve a CVS repository read-write for clients from one network and read-only from other network). Change Client network address is passed to PAM subsystem as remote host item (PAM_RHOST). In addition, terminal item (PAM_TTY) is set to dummy value `cvs' because some PAM modules cannot work with unset value. Result PAM system is aware of CVS client network address now.
Clone Of:
: 684789 858692 (view as bug list)
Environment:
Last Closed: 2012-02-21 06:20:07 UTC


Attachments (Terms of Use)
Patch to include RHOST attribute to PAM if 'REMOTE_HOST' is available in environment. (908 bytes, patch)
2009-11-18 12:29 UTC, Jonas Anden
no flags Details | Diff
Fix backported from upstream development version (3.14 KB, patch)
2011-03-14 13:20 UTC, Petr Pisar
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0253 normal SHIPPED_LIVE cvs bug fix update 2012-02-20 15:07:01 UTC

Description Jonas Anden 2009-11-18 12:29:17 UTC
Created attachment 370065 [details]
Patch to include RHOST attribute to PAM if 'REMOTE_HOST' is available in environment.

Description of problem:
I have an environment where a CVS server is exposed to two classes of networks. One of the classes ("external") should use an anonymous, read-only view of the CVS tree, while another class ("internal") should use a per-user verification and a read-write view. It is important to our environment that no modifications  can done performed from the external view -- even if the user is in possession of a valid username and password.

This type of verification is available using PAM listfile authentication on its 'rhost' attribute, but the cvs server does not include this attribute (even though the information is readily available as xinetd is exporting the 'REMOTE_HOST' into the environment) in the calls to PAM.

I am attaching a patch to supply the RHOST data to the cvs package in the hopes of not having to manually add the patch and rebuild the cvs package in the future.

I'm running this patch in production, limiting PAM authentication to the hosts listed in /etc/cvswritehosts using the following directive in the /etc/pam.d/cvs file:

---
auth		required	pam_listfile.so \
					item=rhost sense=allow onerr=fail file=/etc/cvswritehosts
---

Anonymous access is provided through a no-password entry in the CVS 'passwd' file in CVSROOT.

Version-Release number of selected component (if applicable):
Currently running patched version of 1.11.22-5.

Steps to Reproduce:
N/A
  
Actual results:
PAM listfile item 'rhost' does not work with CVS in pserver mode.

Expected results:
PAM listfile item 'rhost' works with CVS in pserver mode.

Comment 3 Petr Pisar 2011-03-14 13:20:49 UTC
Created attachment 484179 [details]
Fix backported from upstream development version

This patch passes PAM_RHOST and PAM_TTY to PAM subsystem. The value is obtained from standard input descriptor.

This way is more generic than former patch relying to environment.

Comment 12 Petr Pisar 2011-10-25 14:00:14 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    There is a demand to distinguish clients by network address
    by PAM system. However CVS server did not pass client
    address to PAM system.
Consequence
    PAM system cannot utilize client address. Thus it's not
    possible to use this information for authentication or
    authorization purposes (e.g. to serve a CVS repository
    read-write for clients from one network and read-only from
    other network).
Change
    Client network address is passed to PAM subsystem as remote
    host item (PAM_RHOST). In addition, terminal item (PAM_TTY)
    is set to dummy value `cvs' because some PAM modules cannot
    work with unset value.
Result
    PAM system is aware of CVS client network address now.

Comment 15 errata-xmlrpc 2012-02-21 06:20:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0253.html


Note You need to log in before you can comment on or make changes to this bug.