diff -pruN krb5-1.6.2/src/appl/bsd/krshd.c krb5-1.6.2.userhost/src/appl/bsd/krshd.c --- krb5-1.6.2/src/appl/bsd/krshd.c 2008-08-04 18:14:22.000000000 -0400 +++ krb5-1.6.2.userhost/src/appl/bsd/krshd.c 2008-08-04 18:13:25.000000000 -0400 @@ -1157,6 +1157,7 @@ void doit(f, fromp) 0, locuser, "", + hostname, do_encrypt ? EKSHELL_PAM_SERVICE : KSHELL_PAM_SERVICE) != 0) { diff -pruN krb5-1.6.2/src/appl/bsd/login.c krb5-1.6.2.userhost/src/appl/bsd/login.c --- krb5-1.6.2/src/appl/bsd/login.c 2008-08-04 18:14:22.000000000 -0400 +++ krb5-1.6.2.userhost/src/appl/bsd/login.c 2008-08-04 18:11:30.000000000 -0400 @@ -1299,7 +1299,10 @@ int main(argc, argv) #ifdef USE_PAM if (login_use_pam) { - if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "", + if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, + username, + "", + hostname, ttyname(STDIN_FILENO)) == PAM_SUCCESS) { break; } else { @@ -1425,7 +1428,10 @@ int main(argc, argv) #ifdef USE_PAM if (login_use_pam) { - if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "", + if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, + username, + "", + hostname, ttyname(STDIN_FILENO)) != 0) { printf("Login incorrect\n"); sleepexit(1); diff -pruN krb5-1.6.2/src/appl/bsd/pam.c krb5-1.6.2.userhost/src/appl/bsd/pam.c --- krb5-1.6.2/src/appl/bsd/pam.c 2008-08-04 18:14:22.000000000 -0400 +++ krb5-1.6.2.userhost/src/appl/bsd/pam.c 2008-08-04 18:08:38.000000000 -0400 @@ -251,6 +251,7 @@ appl_pam_set_forwarded_ccname(const char appl_pam_start(const char *service, int interactive, const char *login_username, const char *non_interactive_password, + const char *hostname, const char *tty) { static int exit_handler_registered; @@ -279,6 +280,13 @@ appl_pam_start(const char *service, int ret = pam_start(service, login_username, &appl_pam_conv, &appl_pamh); if (ret == 0) { + if (hostname != NULL) { +#ifdef DEBUG + printf("Setting PAM_RHOST to \"%s\".\n", + hostname); +#endif + pam_set_item(appl_pamh, PAM_RHOST, hostname); + } if (tty != NULL) { #ifdef DEBUG printf("Setting PAM_TTY to \"%s\".\n", tty); @@ -304,11 +312,12 @@ int appl_pam_authenticate(const char *service, int interactive, const char *login_username, const char *non_interactive_password, + const char *hostname, const char *tty) { int ret; - ret = appl_pam_start(service, interactive, login_username, - non_interactive_password, tty); + ret = appl_pam_start(service, interactive, login_username, + non_interactive_password, hostname, tty); if (ret == 0) { ret = pam_authenticate(appl_pamh, 0); } @@ -318,12 +327,13 @@ int appl_pam_acct_mgmt(const char *service, int interactive, const char *login_username, const char *non_interactive_password, + const char *hostname, const char *tty) { int ret; appl_pam_pwchange_required = 0; ret = appl_pam_start(service, interactive, login_username, - non_interactive_password, tty); + non_interactive_password, hostname, tty); if (ret == 0) { #ifdef DEBUG printf("Calling pam_acct_mgmt().\n"); diff -pruN krb5-1.6.2/src/appl/bsd/pam.h krb5-1.6.2.userhost/src/appl/bsd/pam.h --- krb5-1.6.2/src/appl/bsd/pam.h 2008-08-04 18:14:22.000000000 -0400 +++ krb5-1.6.2.userhost/src/appl/bsd/pam.h 2008-08-04 18:12:00.000000000 -0400 @@ -46,10 +46,12 @@ int appl_pam_enabled(krb5_context contex int appl_pam_authenticate(const char *service, int interactive, const char *local_username, const char *non_interactive_password, + const char *hostname, const char *tty); int appl_pam_acct_mgmt(const char *service, int interactive, const char *local_username, const char *non_interactive_password, + const char *hostname, const char *tty); int appl_pam_requires_chauthtok(void); int appl_pam_chauthtok(void); diff -pruN krb5-1.6.2/src/appl/gssftp/ftpd/ftpd.c krb5-1.6.2.userhost/src/appl/gssftp/ftpd/ftpd.c --- krb5-1.6.2/src/appl/gssftp/ftpd/ftpd.c 2008-08-04 18:14:22.000000000 -0400 +++ krb5-1.6.2.userhost/src/appl/gssftp/ftpd/ftpd.c 2008-08-04 18:13:23.000000000 -0400 @@ -811,6 +811,7 @@ user(name) if (appl_pam_enabled(kcontext, "ftpd")) { if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, pw->pw_name, "", + hostname, FTP_PAM_SERVICE) != 0) { reply(530, "Login incorrect."); return; @@ -1096,6 +1097,7 @@ pass(passwd) appl_pam_enabled(kcontext, "ftpd") ? (appl_pam_authenticate(FTP_PAM_SERVICE, 0, pw->pw_name, passwd, + hostname, FTP_PAM_SERVICE) != 0) : #endif (!kpass(pw->pw_name, passwd) && @@ -1122,6 +1124,7 @@ pass(passwd) if (appl_pam_enabled(kcontext, "ftpd")) { if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, pw->pw_name, passwd, + hostname, FTP_PAM_SERVICE) != 0) { reply(530, "Login incorrect."); return;