Bug 2741 - Export client port to PAM
Summary: Export client port to PAM
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 7.5p1
Hardware: All Linux
: P5 enhancement
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_8_0
  Show dependency treegraph
 
Reported: 2017-07-11 01:47 AEST by Sebastian Roland
Modified: 2021-04-23 15:00 AEST (History)
2 users (show)

See Also:

Attachments
set SSH_CONNECTION in PAM environment (1.85 KB, patch)
2018-12-07 15:42 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Roland 2017-07-11 01:47:25 AEST 
Since OpenSSH 7.2 it is possible to identify sessions within log files as session-related log entries include the clients port. Right now I don't see a good way to correlate output of PAM modules to the session as only the clients host (PAM_RHOST) is exported to the PAM environment. If the clients port was accessible within PAM it can be included in log messages and thus correlated to a session. Export can be e.g. done through pam_set_item() or pam_putenv().
Comment 1 Damien Miller 2018-12-07 15:42:47 AEDT 
Created attachment 3213 [details]
set SSH_CONNECTION in PAM environment

Unfortunately it can't be done using pam_set_item() as there is no equivalent key to PAM_RHOST for the port number. That's a pity as that would be the most natural way to supply this information.

So this sets SSH_CONNECTION in the PAM environment, identically to what should be later set in the user enviornment. This contains the full 4-tuple describing the connection.
Comment 2 Damien Miller 2018-12-14 13:24:27 AEDT 
This has been committed and will be in the openssh-8.0 release
Comment 3 Damien Miller 2021-04-23 15:00:58 AEST 
closing resolved bugs as of 8.6p1 release