diff -up pegasus/src/Executor/PAMAuth.h.local-or-remote-auth pegasus/src/Executor/PAMAuth.h --- pegasus/src/Executor/PAMAuth.h.local-or-remote-auth 2009-12-15 11:52:33.000000000 +0100 +++ pegasus/src/Executor/PAMAuth.h 2011-05-19 14:26:12.849499761 +0200 @@ -49,6 +49,9 @@ #include #include +#include +typedef int Boolean; + #ifdef PEGASUS_FLAVOR # define PAM_CONFIG_FILE "wbem" PEGASUS_FLAVOR #else @@ -398,29 +401,60 @@ static int PAMValidateUserCallback( */ static int PAMAuthenticateInProcess( - const char* username, const char* password) + const char* username, const char* password, const Boolean isRemoteUser) { PAMData data; struct pam_conv pconv; pam_handle_t* handle; + int retcode; data.password = password; pconv.conv = PAMAuthenticateCallback; pconv.appdata_ptr = &data; + // NOTE: if any pam call should log anything, our syslog socket will be redirected + // to the AUTH facility, so we need to redirect it back after each pam call. + + if ((retcode = pam_start(PAM_CONFIG_FILE, username, &pconv, &handle)) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(handle, retcode)); + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", username); + return -1; + } - if (pam_start(PAM_CONFIG_FILE, username, &pconv, &handle) != PAM_SUCCESS) + if ((retcode = pam_set_item(handle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS) + { + pam_end(handle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(handle, retcode)); + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", username); return -1; + } - if (pam_authenticate(handle, 0) != PAM_SUCCESS) + if ((retcode = pam_authenticate(handle, 0)) != PAM_SUCCESS) { pam_end(handle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(handle, retcode)); + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", username); return -1; } - if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS) + if ((retcode = pam_acct_mgmt(handle, 0)) != PAM_SUCCESS) { pam_end(handle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(handle, retcode)); + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", username); return -1; } @@ -444,16 +478,34 @@ static int PAMValidateUserInProcess(cons PAMData data; struct pam_conv pconv; pam_handle_t* phandle; + int retcode; pconv.conv = PAMValidateUserCallback; pconv.appdata_ptr = &data; - if (pam_start(PAM_CONFIG_FILE, username, &pconv, &phandle) != PAM_SUCCESS) + if ((retcode = pam_start(PAM_CONFIG_FILE, username, &pconv, &phandle)) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode)); return -1; + } + + if ((retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS) + { + pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode)); + return -1; + } - if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS) + if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS) { pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode)); return -1; } @@ -472,12 +524,12 @@ static int PAMValidateUserInProcess(cons **============================================================================== */ -static int PAMAuthenticate(const char* username, const char* password) +static int PAMAuthenticate(const char* username, const char* password, const Boolean isRemoteUser) { #ifdef PEGASUS_USE_PAM_STANDALONE_PROC return CimserveraProcessOperation("authenticate", username, password); #else - return PAMAuthenticateInProcess(username, password); + return PAMAuthenticateInProcess(username, password, isRemoteUser); #endif } diff -up pegasus/src/Executor/Parent.c.local-or-remote-auth pegasus/src/Executor/Parent.c --- pegasus/src/Executor/Parent.c.local-or-remote-auth 2011-05-19 14:26:49.662347923 +0200 +++ pegasus/src/Executor/Parent.c 2011-05-19 14:44:30.248822405 +0200 @@ -635,7 +635,7 @@ static void HandleAuthenticatePasswordRe #if defined(PEGASUS_PAM_AUTHENTICATION) - if (PAMAuthenticate(request.username, request.password) != 0) + if (PAMAuthenticate(request.username, request.password, 0) != 0) { status = -1; break; diff -up pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.local-or-remote-auth pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c --- pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.local-or-remote-auth 2011-05-19 15:34:25.895309730 +0200 +++ pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c 2011-05-19 15:34:39.744506661 +0200 @@ -49,7 +49,7 @@ int main() sprintf(prompt, "Enter password for %s: ", PEGASUS_CIMSERVERMAIN_USER); pw = getpass(prompt); - if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw) == 0) + if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw, 0) == 0) printf("Correct password\n"); else printf("Wrong password\n"); diff -up pegasus/src/Pegasus/Common/AuthenticationInfo.h.local-or-remote-auth pegasus/src/Pegasus/Common/AuthenticationInfo.h --- pegasus/src/Pegasus/Common/AuthenticationInfo.h.local-or-remote-auth 2008-12-16 19:55:59.000000000 +0100 +++ pegasus/src/Pegasus/Common/AuthenticationInfo.h 2011-05-19 14:26:12.849499761 +0200 @@ -354,6 +354,22 @@ public: return _rep->getRemotePrivilegedUserAccessChecked(); } + /** Indicate whether the user is Remote + */ + Boolean isRemoteUser() const + { + CheckRep(_rep); + return _rep->isRemoteUser(); + } + + /** Set the Remote User flag + */ + void setRemoteUser(Boolean isRemoteUser) + { + CheckRep(_rep); + _rep->setRemoteUser(isRemoteUser); + } + private: AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep) diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp --- pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.local-or-remote-auth 2010-07-28 16:37:52.000000000 +0200 +++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp 2011-05-19 14:26:12.850499919 +0200 @@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag) : _connectionAuthenticated(false), - _wasRemotePrivilegedUserAccessChecked(false) + _wasRemotePrivilegedUserAccessChecked(false), + _isRemoteUser(true) { PEG_METHOD_ENTER( TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep"); @@ -79,6 +80,16 @@ AuthenticationInfoRep::~AuthenticationIn PEG_METHOD_EXIT(); } +void AuthenticationInfoRep::setRemoteUser(Boolean isRemoteUser) +{ + PEG_METHOD_ENTER(TRC_AUTHENTICATION, + "AuthenticationInfoRep::setRemoteUser"); + + _isRemoteUser = isRemoteUser; + + PEG_METHOD_EXIT(); +} + void AuthenticationInfoRep::setConnectionAuthenticated( Boolean connectionAuthenticated) { diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.local-or-remote-auth pegasus/src/Pegasus/Common/AuthenticationInfoRep.h --- pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.local-or-remote-auth 2008-12-16 19:55:59.000000000 +0100 +++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h 2011-05-19 14:26:12.851500077 +0200 @@ -147,6 +147,13 @@ public: void setSecurityAssociation(); #endif + Boolean isRemoteUser() const + { + return _isRemoteUser; + } + + void setRemoteUser(Boolean isRemoteUser); + Array getClientCertificateChain() { return _clientCertificate; @@ -190,6 +197,7 @@ private: Boolean _wasRemotePrivilegedUserAccessChecked; Array _clientCertificate; + Boolean _isRemoteUser; }; PEGASUS_NAMESPACE_END diff -up pegasus/src/Pegasus/Common/Executor.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/Executor.cpp --- pegasus/src/Pegasus/Common/Executor.cpp.local-or-remote-auth 2010-10-29 07:29:50.000000000 +0200 +++ pegasus/src/Pegasus/Common/Executor.cpp 2011-05-19 14:26:12.852500235 +0200 @@ -126,7 +126,8 @@ public: virtual int authenticatePassword( const char* username, - const char* password) = 0; + const char* password, + Boolean isRemoteUser) = 0; virtual int validateUser( const char* username) = 0; @@ -560,10 +561,11 @@ public: virtual int authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { #if defined(PEGASUS_PAM_AUTHENTICATION) - return PAMAuthenticate(username, password); + return PAMAuthenticate(username, password, isRemoteUser); #else // ATTN: not handled so don't call in this case. return -1; @@ -904,7 +906,8 @@ public: virtual int authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { AutoMutex autoMutex(_mutex); @@ -1173,10 +1176,11 @@ int Executor::reapProviderAgent( int Executor::authenticatePassword( const char* username, - const char* password) + const char* password, + Boolean isRemoteUser) { once(&_executorImplOnce, _initExecutorImpl); - return _executorImpl->authenticatePassword(username, password); + return _executorImpl->authenticatePassword(username, password, isRemoteUser); } int Executor::validateUser( diff -up pegasus/src/Pegasus/Common/Executor.h.local-or-remote-auth pegasus/src/Pegasus/Common/Executor.h --- pegasus/src/Pegasus/Common/Executor.h.local-or-remote-auth 2010-10-29 07:29:50.000000000 +0200 +++ pegasus/src/Pegasus/Common/Executor.h 2011-05-19 14:26:12.853500393 +0200 @@ -184,7 +184,8 @@ public: */ static int authenticatePassword( const char* username, - const char* password); + const char* password, + Boolean isRemoteUser); /** Check whether the given user is valid for the underlying authentcation mechanism. diff -up pegasus/src/Pegasus/Common/HTTPConnection.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/HTTPConnection.cpp --- pegasus/src/Pegasus/Common/HTTPConnection.cpp.local-or-remote-auth 2011-04-19 12:39:52.000000000 +0200 +++ pegasus/src/Pegasus/Common/HTTPConnection.cpp 2011-05-19 14:26:12.854500551 +0200 @@ -2295,6 +2295,30 @@ void HTTPConnection::_handleReadEvent() message->contentLanguages = contentLanguages; message->dest = _outputMessageQueue->getQueueId(); + // Allow authenticators to differentiate Remote and Local users: + struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ... + socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in); + uint32_t sock = _socket.get()->getSocket() ; + memset(&sin_peer,'\0',slen1); + memset(&sin_svr, '\0',slen2); + if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 ) + ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 ) + ) + { + if( sin_peer.sin_family == AF_INET ) + { + if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) + // message was sent FROM localhost interface + message->isFromRemoteHost = false; + } + if( sin_svr.sin_family == AF_INET ) + { + if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) + // message was sent TO localhost interface + message->isFromRemoteHost = false; + } + } + // // The _closeConnection method sets the _connectionClosePending flag. // If we are executing on the client side and the diff -up pegasus/src/Pegasus/Common/HTTPMessage.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/HTTPMessage.cpp --- pegasus/src/Pegasus/Common/HTTPMessage.cpp.local-or-remote-auth 2011-01-25 13:10:21.000000000 +0100 +++ pegasus/src/Pegasus/Common/HTTPMessage.cpp 2011-05-19 14:26:12.856500867 +0200 @@ -134,7 +134,8 @@ HTTPMessage::HTTPMessage( authInfo(0), acceptLanguagesDecoded(false), contentLanguagesDecoded(false), - binaryResponse(false) + binaryResponse(false), + isFromRemoteHost(true) { if (cimException_) cimException = *cimException_; diff -up pegasus/src/Pegasus/Common/HTTPMessage.h.local-or-remote-auth pegasus/src/Pegasus/Common/HTTPMessage.h --- pegasus/src/Pegasus/Common/HTTPMessage.h.local-or-remote-auth 2011-01-25 13:10:21.000000000 +0100 +++ pegasus/src/Pegasus/Common/HTTPMessage.h 2011-05-19 14:26:12.856500867 +0200 @@ -73,6 +73,7 @@ public: ContentLanguageList contentLanguages; Boolean acceptLanguagesDecoded; Boolean contentLanguagesDecoded; + Boolean isFromRemoteHost; CIMException cimException; bool binaryResponse; diff -up pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp --- pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.local-or-remote-auth 2010-10-29 07:29:50.000000000 +0200 +++ pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp 2011-05-19 14:26:12.857501025 +0200 @@ -76,7 +76,7 @@ void testExecutorLoopbackImpl() #endif PEGASUS_TEST_ASSERT(Executor::authenticatePassword( - "xnonexistentuserx", "wrongpassword") == -1); + "xnonexistentuserx", "wrongpassword", true) == -1); PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); char challengeFilePath[EXECUTOR_BUFFER_SIZE]; @@ -115,7 +115,7 @@ void testExecutorSocketImpl() PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0); PEGASUS_TEST_ASSERT(Executor::authenticatePassword( - "xnonexistentuserx", "wrongpassword") == -1); + "xnonexistentuserx", "wrongpassword", true) == -1); PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); char challengeFilePath[EXECUTOR_BUFFER_SIZE]; diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp --- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.local-or-remote-auth 2009-08-07 07:43:31.000000000 +0200 +++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2011-05-19 14:26:12.858501183 +0200 @@ -153,7 +153,7 @@ Boolean BasicAuthenticationHandler::auth } authInfo->setRemotePrivilegedUserAccessChecked(); - authenticated = _basicAuthenticator->authenticate(userName, password); + authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser()); // Log audit message. PEG_AUDIT_LOG(logBasicAuthentication( diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h --- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.local-or-remote-auth 2008-12-16 19:57:08.000000000 +0100 +++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2011-05-19 14:26:12.858501183 +0200 @@ -65,7 +65,8 @@ public: */ virtual Boolean authenticate( const String& userName, - const String& password) = 0; + const String& password, + Boolean isRemoteUser) = 0; /** Construct and return the HTTP Basic authentication challenge header @return A string containing the authentication challenge header. diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h --- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.local-or-remote-auth 2008-12-16 19:57:08.000000000 +0100 +++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2011-05-19 14:26:12.859501341 +0200 @@ -53,7 +53,8 @@ public: Boolean authenticate( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); Boolean validateUser(const String& userName); diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp --- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.local-or-remote-auth 2008-12-16 19:57:08.000000000 +0100 +++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2011-05-19 14:26:12.859501341 +0200 @@ -73,7 +73,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp --- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.local-or-remote-auth 2008-12-16 19:57:08.000000000 +0100 +++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2011-05-19 14:26:12.860501499 +0200 @@ -64,13 +64,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); if (Executor::authenticatePassword( - userName.getCString(), password.getCString()) != 0) + userName.getCString(), password.getCString(), isRemoteUser) != 0) { return false; } diff -up pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp --- pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.local-or-remote-auth 2009-04-17 16:39:31.000000000 +0200 +++ pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp 2011-05-19 14:26:12.860501499 +0200 @@ -236,7 +236,7 @@ Boolean SecureBasicAuthenticator::authen if (Executor::detectExecutor() == 0) { if (Executor::authenticatePassword( - userName.getCString(), password.getCString()) == 0) + userName.getCString(), password.getCString(), true) == 0) { authenticated = true; } diff -up pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.local-or-remote-auth pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp --- pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.local-or-remote-auth 2009-08-07 07:43:31.000000000 +0200 +++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2011-05-19 14:26:12.862501815 +0200 @@ -421,6 +421,9 @@ void HTTPAuthenticatorDelegator::handleH Tracer::LEVEL3, "HTTPAuthenticatorDelegator - Authentication processing start"); + // Let Authenticators know whether this user is Local or Remote: + httpMessage->authInfo->setRemoteUser( httpMessage->isFromRemoteHost ); + // // Handle authentication: //