[Dovecot] Hostname passed to PAM as rhost

Tom Alsberg alsbergt at cs.huji.ac.il
Mon Sep 26 22:24:25 EEST 2005


(I am sorry to bother the list with something I should have verified
 myself right now - I simply do not have access to the source code
 here)

Thinking of some limit I wanted to put with authentication, I am
wondering - when Dovecot authenticates a user using PAM, now that
(in 1.0) it passes the rhost item to PAM, it passes a hostname, not
an IP address.

Does it double-verify the DNS record before it trusts
this to be the hostname (first checking the IP address in
in_addr.arpa and then checking that the hostname indeed maps back to
the same IP address)?

That is necessary in order to trust the client address when 
determining authentication strength in the PAM module based on the
client location (specifically we want stronger authentication when
the client comes outside of our network, while inside a plain password
suffices), as else anybody could "spoof" the hostname by changing the 
IN PTR record of his IP address to point back to some "trusted" 
hostname (given he has control of the DNS zone his host is in, which
is completely possible given the server knows nothing about it).

  Thanks,
  -- Tom

-- 
  Tom Alsberg - hacker (being the best description fitting this space)
  Web page:	http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER:  The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.


More information about the dovecot mailing list