File: missing_dns.patch

package info (click to toggle)
pam-shield 0.9.2-3.3
  • links: PTS
  • area: main
  • in suites: wheezy
  • size: 216 kB
  • sloc: ansic: 988; sh: 461; makefile: 102
file content (111 lines) | stat: -rw-r--r-- 3,527 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Subject: Block IPs when allow_missing_dns=no
Origin: upstream, https://github.com/walterdejong/pam_shield/commit/afa7b246018787fe6028289c414c33292641e1e0
Bug-debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658830
Forwarded: not-needed
Author: Walter de Jong <walter@heiho.net>
Reviewed-by: Jonathan Niehof <jtniehof@gmail.com>
Last-Update: 2012-02-26
--- a/pam_shield.c
+++ b/pam_shield.c
@@ -131,6 +131,7 @@
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
 char *user, *rhost;
 struct passwd *pwd;
+int suspicious_dns;
 
 	if (init_module())
 		return PAM_IGNORE;
@@ -152,6 +153,13 @@
 
 	logmsg(LOG_DEBUG, "user %s", (user == NULL) ? "(unknown)" : user);
 
+/* if not blocking all and the user is known, let go */
+	if (!(options & OPT_BLOCK_ALL) && user != NULL && (pwd = getpwnam(user)) != NULL) {
+		logmsg(LOG_DEBUG, "ignoring known user %s", user);
+		deinit_module();
+		return PAM_IGNORE;
+      }
+
 /* get the remotehost address */
 	if (pam_get_item(pamh, PAM_RHOST, (const void **)(void *)&rhost) != PAM_SUCCESS)
 		rhost = NULL;
@@ -164,6 +172,7 @@
 /*
 	if rhost is completely numeric, then it has no DNS entry
 */
+	suspicious_dns = 0;
 	if(rhost != NULL) {
 	if (strspn(rhost, "0123456789.") == strlen(rhost)
 		|| strspn(rhost, "0123456789:abcdefABCDEF") == strlen(rhost)) {
@@ -171,8 +180,7 @@
 			logmsg(LOG_DEBUG, "missing DNS entry for %s (allowed)", rhost);
 		else {
 			logmsg(LOG_DEBUG, "missing DNS entry for %s (denied)", rhost);
-			deinit_module();
-			return PAM_AUTH_ERR;
+			suspicious_dns = 1;
 		}
 	} else {
 /*
@@ -180,16 +188,10 @@
 */
 		if (match_name_list(rhost)) {
 			deinit_module();
-			return PAM_IGNORE;
+			return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE;
 		}
 	}
 	}
-/* if not blocking all and the user is known, let go */
-	if (!(options & OPT_BLOCK_ALL) && user != NULL && (pwd = getpwnam(user)) != NULL) {
-		logmsg(LOG_DEBUG, "ignoring known user %s", user);
-		deinit_module();
-		return PAM_IGNORE;
-	}
 	if (rhost != NULL) {
 		struct addrinfo *addr_info, *addr_p;
 		unsigned char addr_family;
@@ -205,8 +207,7 @@
 				logmsg(LOG_DEBUG, "missing reverse DNS entry for %s (allowed)", rhost);
 			else {
 				logmsg(LOG_DEBUG, "missing reverse DNS entry for %s (denied)", rhost);
-				deinit_module();
-				return PAM_AUTH_ERR;
+				suspicious_dns = 1;
 			}
 		}
 /* for every address that this host is known for, check for whitelist entry */
@@ -238,13 +239,13 @@
 
 					freeaddrinfo(addr_info);
 					deinit_module();
-					return PAM_IGNORE;
+					return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE;
 			}
 /* host is whitelisted by an allow line in the config file, so exit */
 			if (whitelisted) {
 				freeaddrinfo(addr_info);
 				deinit_module();
-				return PAM_IGNORE;
+				return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE;
 			}
 		}
 /* open the database */
@@ -252,7 +253,7 @@
 			logmsg(LOG_ERR, "failed to open gdbm file '%s' : %s", dbfile, gdbm_strerror(gdbm_errno));
 			freeaddrinfo(addr_info);
 			deinit_module();
-			return PAM_IGNORE;
+			return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE;
 		}
 /* for every address that this host is known for, check the database */
 		for(addr_p = addr_info; addr_p != NULL; addr_p = addr_p->ai_next) {
@@ -330,7 +331,7 @@
 		gdbm_close(dbf);
 	}
 	deinit_module();
-	return PAM_IGNORE;
+	return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE;
 }
 
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {