how can I get the client ip in pam

Question

I am writing a custom pam module where authentication is controlled only from particular ip addresses

I am not able to get the ip address of the client making a connection. Is there any example ?

I am using this function in my code

....
    err = pam_get_item(pamh, PAM_RHOST, (const void **) &pHost);
.....

But I get phost as always null

Answer 1

First off:

where authentication is controlled only from particular ip addresses

It's a bad idea to base this off IP addresses, as they can be ridiculously easily forged. Simply don't do that.

Secondly:

As man pam_get_item will tell you

The requesting hostname (the hostname of the machine from which the PAM_RUSER entity is requesting service). That is PAM_RUSER@PAM_RHOST does identify the requesting user. In some applications, PAM_RHOST may be NULL. In such situations, it is unclear where the authentication request is originating from.

That will be the case in many applications nowaday.

You might simply be confusing PAM requests origins (which shouldn't ever be trusted -- those are the people trying to get auth, so trusting them before you trust them is plain making your own auth mechanism useless) and the "authenticator" working in the background.

If you need host-based validation, there's already a mature, albeit a little complex to set up, but still widely deployed solution: Kerberos has exactly that purpose, authenticating hosts, so that further authentications can take host authenticity into consideration. Don't reinvent the wheel, especially in security contexts.