diff -Nur pegasus-2.6.1.orig/src/Pegasus/Common/AuthenticationInfo.h pegasus-2.6.1/src/Pegasus/Common/AuthenticationInfo.h --- pegasus-2.6.1.orig/src/Pegasus/Common/AuthenticationInfo.h 2007-03-23 10:36:53.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Common/AuthenticationInfo.h 2007-08-17 11:18:15.000000000 -0700 @@ -343,6 +343,22 @@ return _rep->getRemotePrivilegedUserAccessChecked(); } + /** Indicate whether the user is Remote + */ + Boolean isRemoteUser() const + { + _checkRep(); + return _rep->isRemoteUser(); + } + + /** Set the Remote User flag + */ + void setRemoteUser(Boolean remoteUser) + { + _checkRep(); + _rep->setRemoteUser(remoteUser); + } + private: AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep) diff -Nur pegasus-2.6.1.orig/src/Pegasus/Common/AuthenticationInfoRep.cpp pegasus-2.6.1/src/Pegasus/Common/AuthenticationInfoRep.cpp --- pegasus-2.6.1.orig/src/Pegasus/Common/AuthenticationInfoRep.cpp 2007-03-23 10:36:53.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Common/AuthenticationInfoRep.cpp 2007-08-17 11:26:28.000000000 -0700 @@ -51,7 +51,8 @@ _privileged(false), _authType(String::EMPTY), _connectionAuthenticated(false), - _wasRemotePrivilegedUserAccessChecked(false) + _wasRemotePrivilegedUserAccessChecked(false), + _remoteUser(true) { PEG_METHOD_ENTER( TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep"); @@ -59,6 +60,15 @@ PEG_METHOD_EXIT(); } +void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser) +{ + PEG_METHOD_ENTER(TRC_AUTHENTICATION, + "AuthenticationInfoRep::setRemoteUser"); + + _remoteUser = remoteUser; + + PEG_METHOD_EXIT(); +} AuthenticationInfoRep::~AuthenticationInfoRep() { diff -Nur pegasus-2.6.1.orig/src/Pegasus/Common/AuthenticationInfoRep.h pegasus-2.6.1/src/Pegasus/Common/AuthenticationInfoRep.h --- pegasus-2.6.1.orig/src/Pegasus/Common/AuthenticationInfoRep.h 2007-03-23 10:36:53.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Common/AuthenticationInfoRep.h 2007-08-17 11:18:15.000000000 -0700 @@ -136,6 +136,13 @@ void setSecurityAssociation(); #endif + Boolean isRemoteUser() const + { + return _remoteUser; + } + + void setRemoteUser(Boolean remoteUser); + //PEP187 Array getClientCertificateChain() { @@ -180,6 +187,7 @@ Boolean _wasRemotePrivilegedUserAccessChecked; Array _clientCertificate; + Boolean _remoteUser; }; PEGASUS_NAMESPACE_END diff -Nur pegasus-2.6.1.orig/src/Pegasus/Common/HTTPConnection.cpp pegasus-2.6.1/src/Pegasus/Common/HTTPConnection.cpp --- pegasus-2.6.1.orig/src/Pegasus/Common/HTTPConnection.cpp 2007-08-02 01:08:02.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Common/HTTPConnection.cpp 2007-08-17 11:18:15.000000000 -0700 @@ -2042,6 +2042,30 @@ #endif } + // Allow authenticators to differentiate Remote and Local users: + struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ... + socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in); + uint32_t sock = _socket.get()->getSocket() ; + memset(&sin_peer,'\0',slen1); + memset(&sin_svr, '\0',slen2); + if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 ) + ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 ) + ) + { + if( sin_peer.sin_family == AF_INET ) + { + if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) + // message was sent FROM localhost interface + message->fromRemoteHost = false; + } + if( sin_svr.sin_family == AF_INET ) + { + if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) + // message was sent TO localhost interface + message->fromRemoteHost = false; + } + } + // // increment request count // diff -Nur pegasus-2.6.1.orig/src/Pegasus/Common/HTTPMessage.cpp pegasus-2.6.1/src/Pegasus/Common/HTTPMessage.cpp --- pegasus-2.6.1.orig/src/Pegasus/Common/HTTPMessage.cpp 2007-05-25 10:39:01.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Common/HTTPMessage.cpp 2007-08-17 11:18:15.000000000 -0700 @@ -120,7 +120,8 @@ queueId(queueId_), authInfo(0), acceptLanguagesDecoded(false), - contentLanguagesDecoded(false) + contentLanguagesDecoded(false), + fromRemoteHost(true) { if (cimException_) cimException = *cimException_; diff -Nur pegasus-2.6.1.orig/src/Pegasus/Common/HTTPMessage.h pegasus-2.6.1/src/Pegasus/Common/HTTPMessage.h --- pegasus-2.6.1.orig/src/Pegasus/Common/HTTPMessage.h 2007-05-25 10:39:01.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Common/HTTPMessage.h 2007-08-17 11:18:15.000000000 -0700 @@ -75,6 +75,7 @@ ContentLanguageList contentLanguages; Boolean acceptLanguagesDecoded; Boolean contentLanguagesDecoded; + Boolean fromRemoteHost; CIMException cimException; void parse( diff -Nur pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp pegasus-2.6.1/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp --- pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2006-11-08 04:41:28.000000000 -0800 +++ pegasus-2.6.1/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2007-08-17 11:18:15.000000000 -0700 @@ -139,7 +139,7 @@ } authInfo->setRemotePrivilegedUserAccessChecked(); - authenticated = _basicAuthenticator->authenticate(userName, password); + authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser()); // Log audit message. PEG_AUDIT_LOG(logBasicAuthentication( diff -Nur pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/BasicAuthenticator.h pegasus-2.6.1/src/Pegasus/Security/Authentication/BasicAuthenticator.h --- pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2006-01-30 08:18:28.000000000 -0800 +++ pegasus-2.6.1/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2007-08-17 11:18:15.000000000 -0700 @@ -67,7 +67,8 @@ */ virtual Boolean authenticate( const String& userName, - const String& password) = 0; + const String& password, + Boolean isRemoteUser) = 0; /** Construct and return the HTTP Basic authentication challenge header @return A string containing the authentication challenge header. diff -Nur pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h pegasus-2.6.1/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h --- pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2006-08-09 14:13:04.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2007-08-17 11:18:15.000000000 -0700 @@ -73,7 +73,8 @@ */ Boolean authenticate( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); /** Verify PAM account management for the requesting user. @param userName String containing the user name @@ -102,7 +103,8 @@ Boolean _authenticateByPAM( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); void _createPAMStandalone(); @@ -158,7 +160,8 @@ */ Boolean authenticate( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); /** Verify whether the user is valid. @param userName String containing the user name @@ -220,7 +223,8 @@ Boolean _authenticateByPAM( const String& userName, - const String& password); + const String& password, + Boolean isRemoteUser); #if defined(PEGASUS_USE_PAM_STANDALONE_PROC) PAMBasicAuthenticatorStandAlone _pamBasicAuthenticatorStandAlone; diff -Nur pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp pegasus-2.6.1/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp --- pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2006-01-30 08:18:28.000000000 -0800 +++ pegasus-2.6.1/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2007-08-17 11:18:15.000000000 -0700 @@ -92,7 +92,8 @@ Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); diff -Nur pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp pegasus-2.6.1/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp --- pegasus-2.6.1.orig/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2007-04-04 04:04:52.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2007-08-17 11:38:49.000000000 -0700 @@ -48,6 +48,8 @@ #include #endif +#include + #if defined (PEGASUS_USE_PAM_STANDALONE_PROC) #include #include @@ -130,7 +132,8 @@ Boolean PAMBasicAuthenticator::authenticate( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::authenticate()"); @@ -138,7 +141,7 @@ Boolean authenticated; #if !defined(PEGASUS_USE_PAM_STANDALONE_PROC) - authenticated = _authenticateByPAM(userName, password); + authenticated = _authenticateByPAM(userName, password, isRemoteUser); #else // // Mutex to Serialize Authentication calls. @@ -156,7 +159,8 @@ Boolean PAMBasicAuthenticator::_authenticateByPAM( const String& userName, - const String& password) + const String& password, + Boolean isRemoteUser) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "PAMBasicAuthenticator::_authenticateByPAM()"); @@ -166,6 +170,7 @@ pam_handle_t *phandle; char *name; APP_DATA mydata; + int retcode; // // Store the password for PAM authentication @@ -180,12 +185,28 @@ // "PAMBasicAuthenticator::_authenticateByPAM() - userName = %s; userPassword = %s", // (const char *)userName.getCString(), (const char *)password.getCString())); + // NOTE: if any pam call should log anything, our syslog socket will be redirected + // to the AUTH facility, so we need to redirect it back after each pam call. + // //Call pam_start since you need to before making any other PAM calls // - if ( ( pam_start(service, + if ( ( retcode = pam_start(service, (const char *)userName.getCString(), &pconv, &phandle) ) != PAM_SUCCESS ) { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog( LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode)); + PEG_METHOD_EXIT(); + return (authenticated); + } + + if ( (retcode = pam_set_item(phandle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS ) + { + pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(phandle, retcode)); PEG_METHOD_EXIT(); return (authenticated); } @@ -193,7 +214,7 @@ // //Call pam_authenticate to authenticate the user // - if ( ( pam_authenticate(phandle, 0) ) == PAM_SUCCESS ) + if ( ( retcode = pam_authenticate(phandle, 0) ) == PAM_SUCCESS ) { PEG_TRACE_CSTRING(TRC_AUTHENTICATION, Tracer::LEVEL4, "pam_authenticate successful."); @@ -202,21 +223,41 @@ //checking for password and account expiration, as well as verifying access //hour restrictions. // - if ( ( pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS ) + if ( ( retcode = pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS ) { PEG_TRACE_CSTRING(TRC_AUTHENTICATION, Tracer::LEVEL4, "pam_acct_mgmt successful."); authenticated = true; } + else + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(phandle, retcode)); + } + } + else + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(phandle, retcode)); } // //Call pam_end to end our PAM work // pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); PEG_METHOD_EXIT(); + if ( ! authenticated ) + syslog(LOG_ERR, "PAM authentication failed for %s user: %s", + isRemoteUser ? "remote" : "local", + (const char*)userName.getCString() + ); + return (authenticated); } @@ -232,6 +273,7 @@ pam_handle_t *phandle; char *name; APP_DATA mydata; + int retcode; const char *service = "wbem"; pconv.conv = PAMBasicAuthenticator::pamValidateUserCallback; @@ -240,9 +282,22 @@ // // Call pam_start since you need to before making any other PAM calls // - if ( pam_start(service, - (const char *)userName.getCString(), &pconv, &phandle) != PAM_SUCCESS) + if ( (retcode = pam_start(service, + (const char *)userName.getCString(), &pconv, &phandle)) != PAM_SUCCESS) + { + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog( LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode)); + PEG_METHOD_EXIT(); + return (authenticated); + } + + if ( (retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS ) { + pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode)); PEG_METHOD_EXIT(); return (authenticated); } @@ -252,16 +307,28 @@ // checking for account expiration, as well as verifying access // hour restrictions. // - if ( pam_acct_mgmt(phandle, 0) == PAM_SUCCESS ) + if ( (retcode = pam_acct_mgmt(phandle, 0)) == PAM_SUCCESS ) { authenticated = true; } + else + { + pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + syslog( LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode)); + PEG_METHOD_EXIT(); + return (authenticated); + } // //Call pam_end to end our PAM work // pam_end(phandle, 0); + closelog(); + openlog("cimserver", LOG_PID, LOG_DAEMON); + #else // // Mutex to Serialize Authentication calls. diff -Nur pegasus-2.6.1.orig/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp pegasus-2.6.1/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp --- pegasus-2.6.1.orig/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2007-04-04 04:04:52.000000000 -0700 +++ pegasus-2.6.1/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2007-08-17 11:18:15.000000000 -0700 @@ -274,6 +274,9 @@ } } + // Let Authenticators know whether this user is Local or Remote: + httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost ); + // // Handle authentication: //