forked from pool/openssh
130 lines
2.6 KiB
Diff
130 lines
2.6 KiB
Diff
--- auth-pam.c
|
|
+++ auth-pam.c
|
|
@@ -598,15 +598,17 @@
|
|
void
|
|
sshpam_cleanup(void)
|
|
{
|
|
- debug("PAM: cleanup");
|
|
- if (sshpam_handle == NULL)
|
|
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
|
|
return;
|
|
+ debug("PAM: cleanup");
|
|
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
|
if (sshpam_cred_established) {
|
|
+ debug("PAM: deleting credentials");
|
|
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
|
sshpam_cred_established = 0;
|
|
}
|
|
if (sshpam_session_open) {
|
|
+ debug("PAM: closing session");
|
|
pam_close_session(sshpam_handle, PAM_SILENT);
|
|
sshpam_session_open = 0;
|
|
}
|
|
--- monitor.c
|
|
+++ monitor.c
|
|
@@ -1546,6 +1546,11 @@
|
|
/* The child is terminating */
|
|
session_destroy_all(&mm_session_close);
|
|
|
|
+#ifdef USE_PAM
|
|
+ if (options.use_pam)
|
|
+ sshpam_cleanup();
|
|
+#endif
|
|
+
|
|
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
|
if (errno != EINTR)
|
|
exit(1);
|
|
--- session.c
|
|
+++ session.c
|
|
@@ -422,11 +422,6 @@
|
|
|
|
session_proctitle(s);
|
|
|
|
-#if defined(USE_PAM)
|
|
- if (options.use_pam && !use_privsep)
|
|
- do_pam_setcred(1);
|
|
-#endif /* USE_PAM */
|
|
-
|
|
/* Fork the child. */
|
|
if ((pid = fork()) == 0) {
|
|
is_child = 1;
|
|
@@ -557,14 +552,6 @@
|
|
ptyfd = s->ptyfd;
|
|
ttyfd = s->ttyfd;
|
|
|
|
-#if defined(USE_PAM)
|
|
- if (options.use_pam) {
|
|
- do_pam_set_tty(s->tty);
|
|
- if (!use_privsep)
|
|
- do_pam_setcred(1);
|
|
- }
|
|
-#endif
|
|
-
|
|
/* Fork the child. */
|
|
if ((pid = fork()) == 0) {
|
|
is_child = 1;
|
|
@@ -1310,16 +1297,8 @@
|
|
# ifdef __bsdi__
|
|
setpgid(0, 0);
|
|
# endif
|
|
-#ifdef GSSAPI
|
|
- if (options.gss_authentication) {
|
|
- temporarily_use_uid(pw);
|
|
- ssh_gssapi_storecreds();
|
|
- restore_uid();
|
|
- }
|
|
-#endif
|
|
# ifdef USE_PAM
|
|
if (options.use_pam) {
|
|
- do_pam_session();
|
|
do_pam_setcred(use_privsep);
|
|
}
|
|
# endif /* USE_PAM */
|
|
@@ -1347,13 +1326,6 @@
|
|
exit(1);
|
|
}
|
|
endgrent();
|
|
-#ifdef GSSAPI
|
|
- if (options.gss_authentication) {
|
|
- temporarily_use_uid(pw);
|
|
- ssh_gssapi_storecreds();
|
|
- restore_uid();
|
|
- }
|
|
-#endif
|
|
# ifdef USE_PAM
|
|
/*
|
|
* PAM credentials may take the form of supplementary groups.
|
|
@@ -1361,7 +1333,6 @@
|
|
* Reestablish them here.
|
|
*/
|
|
if (options.use_pam) {
|
|
- do_pam_session();
|
|
do_pam_setcred(use_privsep);
|
|
}
|
|
# endif /* USE_PAM */
|
|
--- sshd.c
|
|
+++ sshd.c
|
|
@@ -1899,7 +1899,21 @@
|
|
audit_event(SSH_AUTH_SUCCESS);
|
|
#endif
|
|
|
|
- /*
|
|
+#ifdef GSSAPI
|
|
+ if (options.gss_authentication) {
|
|
+ temporarily_use_uid(authctxt->pw);
|
|
+ ssh_gssapi_storecreds();
|
|
+ restore_uid();
|
|
+ }
|
|
+#endif
|
|
+#ifdef USE_PAM
|
|
+ if (options.use_pam) {
|
|
+ do_pam_setcred(1);
|
|
+ do_pam_session();
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ /*
|
|
* In privilege separation, we fork another child and prepare
|
|
* file descriptor passing.
|
|
*/
|