Set PAM_RHOST item for PAM authentication

The PAM_RHOST item is set to the remote IP address or host name and can be used by PAM modules. A pg_hba.conf option is provided to choose between IP address and resolved host name. From: Grzegorz Sampolski <grzsmp@gmail.com> Reviewed-by: Haribabu Kommi <kommi.haribabu@gmail.com>
2025-11-07 19:06:32 +03:00 · 2016-04-08 10:45:16 -04:00
parent 4e55b3f033
commit 2f1d2b7a75
4 changed files with 52 additions and 4 deletions
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1739,6 +1739,18 @@ CheckPAMAuth(Port *port, char *user, char *password)
 {
 	int			retval;
 	pam_handle_t *pamh = NULL;
+	char		hostinfo[NI_MAXHOST];
+
+	retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+								hostinfo, sizeof(hostinfo), NULL, 0,
+								port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
+	if (retval != 0)
+	{
+		ereport(WARNING,
+				(errmsg_internal("pg_getnameinfo_all() failed: %s",
+								 gai_strerror(retval))));
+		return STATUS_ERROR;
+	}

 	/*
 	 * We can't entirely rely on PAM to pass through appdata --- it appears
@@ -1784,6 +1796,17 @@ CheckPAMAuth(Port *port, char *user, char *password)
 		return STATUS_ERROR;
 	}

+	retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
+
+	if (retval != PAM_SUCCESS)
+	{
+		ereport(LOG,
+				(errmsg("pam_set_item(PAM_RHOST) failed: %s",
+					pam_strerror(pamh, retval))));
+		pam_passwd = NULL;
+		return STATUS_ERROR;
+	}
+
 	retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);

 	if (retval != PAM_SUCCESS)