expose $SSH_CONNECTION in the PAM environment

This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741
author: Damien Miller <djm@mindrot.org> 2018-12-07 05:41:16 +0100
committer: Damien Miller <djm@mindrot.org> 2018-12-14 03:23:48 +0100
commit: 8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree: 4d8caa21acbf05e580e393d2f031bcd3bce873e1 /auth-pam.c
parent: Don't pass loginmsg by address now that it's an sshbuf* (diff)
download: openssh-8a22ffaa13391cfe5b40316d938fe0fb931e9296.tar.xz
openssh-8a22ffaa13391cfe5b40316d938fe0fb931e9296.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 1dec53e92..d67324e1f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -673,6 +673,7 @@ sshpam_init(Authctxt *authctxt)
 {
 	const char *pam_rhost, *pam_user, *user = authctxt->user;
 	const char **ptr_pam_user = &pam_user;
+	char *laddr, *conninfo;
 	struct ssh *ssh = active_state; /* XXX */
 
 	if (sshpam_handle != NULL) {
@@ -702,6 +703,15 @@ sshpam_init(Authctxt *authctxt)
 		sshpam_handle = NULL;
 		return (-1);
 	}
+
+        laddr = get_local_ipaddr(packet_get_connection_in());
+        xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
+	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+	    laddr, ssh_local_port(ssh));
+	pam_putenv(sshpam_handle, conninfo);
+	free(laddr);
+	free(conninfo);
+
 #ifdef PAM_TTY_KLUDGE
 	/*
 	 * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
author	Damien Miller <djm@mindrot.org>	2018-12-07 05:41:16 +0100
committer	Damien Miller <djm@mindrot.org>	2018-12-14 03:23:48 +0100
commit	8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree	4d8caa21acbf05e580e393d2f031bcd3bce873e1 /auth-pam.c
parent	Don't pass loginmsg by address now that it's an sshbuf* (diff)
download	openssh-8a22ffaa13391cfe5b40316d938fe0fb931e9296.tar.xz openssh-8a22ffaa13391cfe5b40316d938fe0fb931e9296.zip