RGS Linux PAM configuration

runich · ‎10-22-2017

Hi,

This is a feature request really, but thought I would post here. Using RGS version 7.3.3 on Linux Centos 6.9, the rgsender process authenticates a client using Linux PAM. I'd like to be able to control who authenticates, which is possible via the pam_access module. Currently the rgsender process passes on the username to PAM, but not the hostname or IP address of the RGS client receiver system. Instead it passes the contant string 'rgsender'. Would it be possible to send the IP address instead to make host filtering possible?

These are a couple of relevant lines from /var/log/secure

Oct 22 00:44:25 rgsender: pam_access(rgsender:account): cannot determine tty or remote hostname, using service rgsender
Oct 22 00:44:25 rgsender: pam_access(rgsender:account): login_access: user=testuser, from=rgsender, file=/etc/security/access.conf

Ideally the second line would instead be something like 'from=<ip adresss>'. If this was the case then a line in /etc/security/access.conf (which is used by the pam_access module) would work ..

- : <username> : <ip address>

Thanks in advance,

Richard

KellyRGS · ‎10-23-2017

Thank you for your inquiry. Will pass along to the R&D team, and then respond with an update on this. RGS 7.4.0 is now on the web, and has different downloads depending on Linux version. I have attached RGS 7.4.0 release notes for your perusal. Just wanted to let you know it is out there, and there were many changes.

I work on the behalf of HP.

I am an HP employee.

runich · ‎10-25-2017

Thanks for the reply. I have tried RGS 7.4.0, but can confirm it interacts with PAM in the same way. It would be great if this feature could be added, since it would allow fine grained control over who connects to the sender, without the need to add a bunch of ACL style options to the RGS configuration files.

KellyRGS · ‎10-25-2017

Great news! This has been looked into, and I have been informed that this is something that can be added. Most likely it will be in the next patch release. Will update when available.

I work on the behalf of HP.

I am an HP employee.

runich · ‎10-25-2017

Hi Kelly,

That is good news, thanks very much for organising! I look forward to trying the update, It'll help to tighten up security significantly .

Kind regards,

Richard

runich · ‎05-31-2018

Hi,

I've installed the Rhel6 7.5 release, but the hostname or ip address of the receiver/client is still not being passed to the Linux-PAM access module. I'm guessing that this feature request wan't implemented. Would someone at HP mind confirming?

Thanks.

Create an account on the HP Community to personalize your profile and ask a question