Bug 2741

Summary: Export client port to PAM
Product: Portable OpenSSH Reporter: Sebastian Roland <seroland86>
Component: PAM supportAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 7.5p1   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.mindrot.org/show_bug.cgi?id=2503
Bug Depends on:    
Bug Blocks: 2915    
Attachments:
Description Flags
set SSH_CONNECTION in PAM environment dtucker: ok+

Description Sebastian Roland 2017-07-11 01:47:25 AEST 
Since OpenSSH 7.2 it is possible to identify sessions within log files as session-related log entries include the clients port. Right now I don't see a good way to correlate output of PAM modules to the session as only the clients host (PAM_RHOST) is exported to the PAM environment. If the clients port was accessible within PAM it can be included in log messages and thus correlated to a session. Export can be e.g. done through pam_set_item() or pam_putenv().
Comment 1 Damien Miller 2018-12-07 15:42:47 AEDT 
Created attachment 3213 [details]
set SSH_CONNECTION in PAM environment

Unfortunately it can't be done using pam_set_item() as there is no equivalent key to PAM_RHOST for the port number. That's a pity as that would be the most natural way to supply this information.

So this sets SSH_CONNECTION in the PAM environment, identically to what should be later set in the user enviornment. This contains the full 4-tuple describing the connection.
Comment 2 Damien Miller 2018-12-14 13:24:27 AEDT 
This has been committed and will be in the openssh-8.0 release
Comment 3 Damien Miller 2021-04-23 15:00:58 AEST 
closing resolved bugs as of 8.6p1 release