{
const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
+ char *laddr, *conninfo;
struct ssh *ssh = active_state; /* XXX */
if (sshpam_handle != NULL) {
sshpam_handle = NULL;
return (-1);
}
+
+ laddr = get_local_ipaddr(packet_get_connection_in());
+ xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ laddr, ssh_local_port(ssh));
+ pam_putenv(sshpam_handle, conninfo);
+ free(laddr);
+ free(conninfo);
+
#ifdef PAM_TTY_KLUDGE
/*
* Some silly PAM modules (e.g. pam_time) require a TTY to operate.
char **p;
/*
- * Don't allow SSH_AUTH_INFO variables posted to PAM to leak
- * back into the environment.
+ * Don't allow PAM-internal env vars to leak
+ * back into the session environment.
*/
+#define PAM_ENV_BLACKLIST "SSH_AUTH_INFO*,SSH_CONNECTION*"
p = fetch_pam_child_environment();
- copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
+ copy_environment_blacklist(p, &env, &envsize,
+ PAM_ENV_BLACKLIST);
free_pam_environment(p);
p = fetch_pam_environment();
- copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
+ copy_environment_blacklist(p, &env, &envsize,
+ PAM_ENV_BLACKLIST);
free_pam_environment(p);
}
#endif /* USE_PAM */
projects / thirdparty / openssh-portable.git / commitdiff
