zinid
commented
5 years ago Indeed, ejabberd doesn't fill this field. I'm a bit clueless, what should be in that field?
Open dorchain opened 5 years ago
zinid
commented
5 years ago Indeed, ejabberd doesn't fill this field. I'm a bit clueless, what should be in that field?
dorchain
commented
5 years ago Indeed, ejabberd doesn't fill this field. I'm a bit clueless, what should be in that field?
Sorry, I overlooked the question.
In my understanding of PAM, the RHOST field contains the remote host from which the connection was initiated.
So for a client connecting to ejabberd to be authenticated with pam, we need:
PAM_RUSER is the remote user name on the client machine, in case it is different from the local user name we are trying to authenticate, and optional. (For me I do not care; besides it would be hard the get). PAM_TERMINAL makes sense for ttys. If anything use the same value as for PAM_SERVICE, or just leave it empty.
Besides I would like to point to The Linux-PAM Application Developers' Guide specifically chapter 3.1.3.1.
Hello,
as of version 18.12.1, ejabberd does not place anything in the rhost field. Easiest check is with pam_warn.
Mar 20 13:27:46 Redstar epam: pam_warn(ejabberd:auth): function=[pam_sm_authenticate] flags=0 service=[ejabberd] terminal=[] user=[] ruser=[] rhost=[]
The corresponding functionality in the erlang-p1-pam Package is available for a while (cfr #1591).
As it is in the ejabberd.log, it should as well be provided to the pam stack, as it is not a local service (like e.g. cron)