堆栈内存溢出
  简体   繁体   English

如何在pam中获取客户端ip

[英]how can I get the client ip in pam

 原文  2015-10-07 09:34:42       c/ linux/ pam

问题描述

I am writing a custom pam module where authentication is controlled only from particular ip addresses 我正在编写一个自定义pam模块,其中只能从特定的ip地址控制身份验证

I am not able to get the ip address of the client making a connection. 我无法获取客户端建立连接的IP地址。 Is there any example ? 有什么例子吗?

I am using this function in my code 我在我的代码中使用此函数 

....
    err = pam_get_item(pamh, PAM_RHOST, (const void **) &pHost);
.....

But I get phost as always null 但是我总是因为总是空了

1 个解决方案

解决方案1
 2  2015-10-14 10:41:22

First off: 首先:

where authentication is controlled only from particular ip addresses 其中仅从特定IP地址控制身份验证

It's a bad idea to base this off IP addresses, as they can be ridiculously easily forged. 以IP地址为基础这是一个坏主意,因为它们可以很容易地伪造。 Simply don't do that. 根本不要那样做。

Secondly: 其次:

As man pam_get_item will tell you 正如man pam_get_item 会告诉你的那样

The requesting hostname (the hostname of the machine from which the PAM_RUSER entity is requesting service). 请求主机名(PAM_RUSER实体请求服务的机器的主机名)。 That is PAM_RUSER@PAM_RHOST does identify the requesting user. 那就是PAM_RUSER @ PAM_RHOST确实标识了请求用户。 In some applications, PAM_RHOST may be NULL. 在某些应用程序中,PAM_RHOST可能为NULL。 In such situations, it is unclear where the authentication request is originating from. 在这种情况下,不清楚身份验证请求的来源。

That will be the case in many applications nowaday. 现在在许多应用中都会出现这种情况。

You might simply be confusing PAM requests origins (which shouldn't ever be trusted -- those are the people trying to get auth, so trusting them before you trust them is plain making your own auth mechanism useless) and the "authenticator" working in the background. 你可能只是混淆PAM请求的起源(这应该永远不被信任-这些都是人们试图获得身份验证,那么信任他们,你相信他们是普通的使自己的身份验证机制之前没用)和“认证”工作中的背景。

If you need host-based validation, there's already a mature, albeit a little complex to set up, but still widely deployed solution: Kerberos has exactly that purpose, authenticating hosts, so that further authentications can take host authenticity into consideration. 如果您需要基于主机的验证,已经有一个成熟的,虽然设置有点复杂,但仍然是广泛部署的解决方案:Kerberos正是为了这个目的,对主机进行身份验证,以便进一步的身份验证可以考虑主机的真实性。 Don't reinvent the wheel, especially in security contexts. 不要重新发明轮子,特别是在安全环境中。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 C 程序中通过 PAM 查询 sssd? - How can I query sssd via PAM in a C program? 如何使用WinSock2和C获取连接的客户端的IP地址? - How can I get the connected client's IP address using WinSock2 and C? 如何在pam_ldap中获取当前的PAM用户? - how to get current PAM user in pam_ldap? C(Linux)中的套接字-如何获取客户端IP和端口 - Sockets in C(Linux) - How do I get client IP & Port 如何在服务器端显示客户端IP地址? - How can I display the client IP address on the server side? 如何通过C中的套接字号获取客户端IP - How to get client IP by the socket number in C 如何从套接字获取客户端的IP地址 - how to get ip address of client from socket 如何从 IP 地址字符串中获取 4 个整数? - How can I get 4 integers from an IP address string? 我怎样才能知道 C 中接口的 IP 地址? - How can I get to know the IP address for interfaces in C? 如何使用libcurl获取具有特定服务器IP的页面 - How can I use libcurl to get a page with a specific server IP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM