expose $SSH_CONNECTION in the PAM environment

This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741
author: Damien Miller <djm@mindrot.org> 2018-12-07 15:41:16 +1100
committer: Damien Miller <djm@mindrot.org> 2018-12-14 13:23:48 +1100
commit: 8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree: 4d8caa21acbf05e580e393d2f031bcd3bce873e1 /auth-pam.c
parent: a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 1dec53e92..d67324e1f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -673,6 +673,7 @@ sshpam_init(Authctxt *authctxt)
 {
        const char *pam_rhost, *pam_user, *user = authctxt->user;
        const char **ptr_pam_user = &pam_user;
+        char *laddr, *conninfo;
        struct ssh *ssh = active_state; /* XXX */
        if (sshpam_handle != NULL) {
@@ -702,6 +703,15 @@ sshpam_init(Authctxt *authctxt)
                sshpam_handle = NULL;
                return (-1);
        }
+        laddr = get_local_ipaddr(packet_get_connection_in());
+        xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
+            ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+            laddr, ssh_local_port(ssh));
+        pam_putenv(sshpam_handle, conninfo);
+        free(laddr);
+        free(conninfo);
 #ifdef PAM_TTY_KLUDGE
        /*
         * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
author	Damien Miller <djm@mindrot.org>	2018-12-07 15:41:16 +1100
committer	Damien Miller <djm@mindrot.org>	2018-12-14 13:23:48 +1100
commit	8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree	4d8caa21acbf05e580e393d2f031bcd3bce873e1 /auth-pam.c
parent	a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff)