Pass remote ip address to PAM

[Natureshadow]

Trying to handle RDP logins in fail2ban, I found that the PAM stack apparently does not receive the address of the remote host trying to authenticate. I can imagine that knowledge of that could come in handy in other situations as well.

Is it possible to make xrdp pass the remote address to PAM as rhost?

[metalefty]

That's interesting. Worth enough to implement if possible.

[Natureshadow]

I looked into the code, and there is one related issue: namely that sesman does not know aboutthe IP address of the client to xrdp.

Passing the address to PAM, once known, is trivial and I already implemented that.

If you can give me a hint on how to possibly pass the socket address, as known to kog_msg in os_calls.c, to sesman, I could finish this.

However, I think this needs changes in the sesman protocol.

[proski]

On a related note, users in my company are complaining that they get prompts for updates, even though PackageKit is configured to only authenticate local users. It turns out that xrdp sessions are considered local. Also, they are not consider active for whatever reason. If we fix that, it would be great. Let's code the right thing for the latest and greatest PAM, and I'll take care of the nice looking backport ;)

$ ck-list-sessions
Session25:
    unix-user = '3186326'
    realname = 'Pavel Roskin'
    seat = 'Seat26'
    session-type = ''
    active = FALSE
    x11-display = ':11.0'
    x11-display-device = ''
    display-device = ''
    remote-host-name = ''
    is-local = TRUE
    on-since = '2016-11-01T20:49:29.725534Z'
    login-session-id = '92233'

[akkornel]

I think this would need a few things done:

• In scp_v0_process2 and scp_v1_process3, change the call to auth_userpass to pass s->client_ip as the fourth parameter.
• In PAM's auth_userpass4, make a number of changes:
  -- Add a fourth parameter, const char * client_ip.
  -- After pam_start completes successfully, call pam_set_item to set PAM_RHOST to (void *)client_ip.

There are a number of PAM modules, beyond fail2ban, which use the client IP. For example, Duo's PAM module (which implements two-step authentication) can use PAM_RHOST to see if the client is coming from a "trusted network" (which means two-step may not be needed).

[Deadpan110]

Just a quick note on the original request "Trying to handle RDP logins in fail2ban"
xrdp-sesman[16570]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=someuser
Where rhost does not contain a remote IP for fail2ban to remember.

The fail2ban config can be set to monitor any log it can access and can be customised to grab the IP address using regex strings.

In essence, for fail2ban use - xrdp could simply log the IP in syslog when a user fails to authenticate.
[Warning] Access denied for user 'someuser@123.123.123.123' would be enough for fail2ban to work.

[avuko]

Could I ask what the status is of this? I have followed up on @akkornel's ideas, but I'm out of my depth and haven't been able to get it working (yet?).

[metalefty]

I've just started research to implement it since last week.

[avuko]

Cool, if there is anything I can do to help test, ('cause you don't want my C to end up in prod ;) let me know.

[raidenii]

Sorry to bump this old thread, but is this still planned to be implemented? As mentioned above, it would be helpful for 2FA (like Duo) to know the client IP and determine whether the connection is from a trusted network.

Thanks.

[matt335672]

@metalefty - I see you've got this self-assigned at the mo'.

If you're struggling to find time to pick it up I'll be happy to do so. Let me me know.

Thanks,