|
Tomáš Mráz |
c9833c |
diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c
|
|
Tomáš Mráz |
c9833c |
--- openssh-4.7p1/session.c.pam-session 2007-08-16 15:28:04.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
+++ openssh-4.7p1/session.c 2007-09-06 17:37:46.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
@@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c
|
|
Tomáš Mráz |
d63dc6 |
|
|
Tomáš Mráz |
d63dc6 |
session_proctitle(s);
|
|
Tomáš Mráz |
d63dc6 |
|
|
Tomáš Mráz |
d63dc6 |
-#if defined(USE_PAM)
|
|
Tomáš Mráz |
d63dc6 |
- if (options.use_pam && !use_privsep)
|
|
Tomáš Mráz |
d63dc6 |
- do_pam_setcred(1);
|
|
Tomáš Mráz |
d63dc6 |
-#endif /* USE_PAM */
|
|
Tomáš Mráz |
d63dc6 |
-
|
|
Tomáš Mráz |
d63dc6 |
/* Fork the child. */
|
|
Tomáš Mráz |
d63dc6 |
if ((pid = fork()) == 0) {
|
|
Tomáš Mráz |
d63dc6 |
is_child = 1;
|
|
Tomáš Mráz |
c9833c |
@@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm
|
|
Tomáš Mráz |
d63dc6 |
ptyfd = s->ptyfd;
|
|
Tomáš Mráz |
d63dc6 |
ttyfd = s->ttyfd;
|
|
Tomáš Mráz |
d63dc6 |
|
|
Tomáš Mráz |
d63dc6 |
-#if defined(USE_PAM)
|
|
Tomáš Mráz |
d63dc6 |
- if (options.use_pam) {
|
|
Tomáš Mráz |
d63dc6 |
- do_pam_set_tty(s->tty);
|
|
Tomáš Mráz |
d63dc6 |
- if (!use_privsep)
|
|
Tomáš Mráz |
d63dc6 |
- do_pam_setcred(1);
|
|
Tomáš Mráz |
d63dc6 |
- }
|
|
Tomáš Mráz |
d63dc6 |
-#endif
|
|
Tomáš Mráz |
d63dc6 |
-
|
|
Tomáš Mráz |
d63dc6 |
/* Fork the child. */
|
|
Tomáš Mráz |
d63dc6 |
if ((pid = fork()) == 0) {
|
|
Tomáš Mráz |
d63dc6 |
is_child = 1;
|
|
Tomáš Mráz |
c9833c |
@@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw)
|
|
Tomáš Mráz |
d63dc6 |
# ifdef __bsdi__
|
|
Tomáš Mráz |
d63dc6 |
setpgid(0, 0);
|
|
Tomáš Mráz |
d63dc6 |
# endif
|
|
Tomáš Mráz |
d63dc6 |
-#ifdef GSSAPI
|
|
Tomáš Mráz |
d63dc6 |
- if (options.gss_authentication) {
|
|
Tomáš Mráz |
d63dc6 |
- temporarily_use_uid(pw);
|
|
Tomáš Mráz |
d63dc6 |
- ssh_gssapi_storecreds();
|
|
Tomáš Mráz |
d63dc6 |
- restore_uid();
|
|
Tomáš Mráz |
d63dc6 |
- }
|
|
Tomáš Mráz |
d63dc6 |
-#endif
|
|
Tomáš Mráz |
d63dc6 |
# ifdef USE_PAM
|
|
Tomáš Mráz |
d63dc6 |
if (options.use_pam) {
|
|
Tomáš Mráz |
d63dc6 |
- do_pam_session();
|
|
Tomáš Mráz |
c9833c |
- do_pam_setcred(use_privsep);
|
|
Tomáš Mráz |
c9833c |
+ do_pam_setcred(0);
|
|
Tomáš Mráz |
d63dc6 |
}
|
|
Tomáš Mráz |
d63dc6 |
# endif /* USE_PAM */
|
|
Tomáš Mráz |
c9833c |
if (setusercontext(lc, pw, pw->pw_uid,
|
|
Tomáš Mráz |
c9833c |
@@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw)
|
|
Tomáš Mráz |
d63dc6 |
exit(1);
|
|
Tomáš Mráz |
d63dc6 |
}
|
|
Tomáš Mráz |
d63dc6 |
endgrent();
|
|
Tomáš Mráz |
d63dc6 |
-#ifdef GSSAPI
|
|
Tomáš Mráz |
d63dc6 |
- if (options.gss_authentication) {
|
|
Tomáš Mráz |
d63dc6 |
- temporarily_use_uid(pw);
|
|
Tomáš Mráz |
d63dc6 |
- ssh_gssapi_storecreds();
|
|
Tomáš Mráz |
d63dc6 |
- restore_uid();
|
|
Tomáš Mráz |
d63dc6 |
- }
|
|
Tomáš Mráz |
d63dc6 |
-#endif
|
|
Tomáš Mráz |
d63dc6 |
# ifdef USE_PAM
|
|
Tomáš Mráz |
d63dc6 |
/*
|
|
Tomáš Mráz |
d63dc6 |
* PAM credentials may take the form of supplementary groups.
|
|
Tomáš Mráz |
c9833c |
@@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw)
|
|
Tomáš Mráz |
d63dc6 |
* Reestablish them here.
|
|
Tomáš Mráz |
d63dc6 |
*/
|
|
Tomáš Mráz |
d63dc6 |
if (options.use_pam) {
|
|
Tomáš Mráz |
d63dc6 |
- do_pam_session();
|
|
Tomáš Mráz |
c9833c |
- do_pam_setcred(use_privsep);
|
|
Tomáš Mráz |
c9833c |
+ do_pam_setcred(0);
|
|
Tomáš Mráz |
d63dc6 |
}
|
|
Tomáš Mráz |
d63dc6 |
# endif /* USE_PAM */
|
|
Tomáš Mráz |
c9833c |
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
|
|
Tomáš Mráz |
c9833c |
diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c
|
|
Tomáš Mráz |
c9833c |
--- openssh-4.7p1/sshd.c.pam-session 2007-09-06 17:37:46.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
+++ openssh-4.7p1/sshd.c 2007-09-06 17:37:46.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
@@ -1831,7 +1831,21 @@ main(int ac, char **av)
|
|
Tomáš Mráz |
c9833c |
audit_event(SSH_AUTH_SUCCESS);
|
|
Tomáš Mráz |
c9833c |
#endif
|
|
Tomáš Mráz |
c9833c |
|
|
Tomáš Mráz |
c9833c |
- /*
|
|
Tomáš Mráz |
c9833c |
+#ifdef GSSAPI
|
|
Tomáš Mráz |
c9833c |
+ if (options.gss_authentication) {
|
|
Tomáš Mráz |
c9833c |
+ temporarily_use_uid(authctxt->pw);
|
|
Tomáš Mráz |
c9833c |
+ ssh_gssapi_storecreds();
|
|
Tomáš Mráz |
c9833c |
+ restore_uid();
|
|
Tomáš Mráz |
c9833c |
+ }
|
|
Tomáš Mráz |
c9833c |
+#endif
|
|
Tomáš Mráz |
c9833c |
+#ifdef USE_PAM
|
|
Tomáš Mráz |
c9833c |
+ if (options.use_pam) {
|
|
Tomáš Mráz |
c9833c |
+ do_pam_setcred(1);
|
|
Tomáš Mráz |
c9833c |
+ do_pam_session();
|
|
Tomáš Mráz |
c9833c |
+ }
|
|
Tomáš Mráz |
c9833c |
+#endif
|
|
Tomáš Mráz |
c9833c |
+
|
|
Tomáš Mráz |
c9833c |
+ /*
|
|
Tomáš Mráz |
c9833c |
* In privilege separation, we fork another child and prepare
|
|
Tomáš Mráz |
c9833c |
* file descriptor passing.
|
|
Tomáš Mráz |
c9833c |
*/
|
|
Tomáš Mráz |
c9833c |
diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c
|
|
Tomáš Mráz |
c9833c |
--- openssh-4.7p1/monitor.c.pam-session 2007-09-06 17:37:46.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
+++ openssh-4.7p1/monitor.c 2007-09-06 17:37:46.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
@@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req)
|
|
Tomáš Mráz |
c9833c |
/* The child is terminating */
|
|
Tomáš Mráz |
c9833c |
session_destroy_all(&mm_session_close);
|
|
Tomáš Mráz |
c9833c |
|
|
Tomáš Mráz |
c9833c |
+#ifdef USE_PAM
|
|
Tomáš Mráz |
c9833c |
+ if (options.use_pam)
|
|
Tomáš Mráz |
c9833c |
+ sshpam_cleanup();
|
|
Tomáš Mráz |
c9833c |
+#endif
|
|
Tomáš Mráz |
c9833c |
+
|
|
Tomáš Mráz |
c9833c |
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
|
Tomáš Mráz |
c9833c |
if (errno != EINTR)
|
|
Tomáš Mráz |
c9833c |
exit(1);
|
|
Tomáš Mráz |
c9833c |
diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c
|
|
Tomáš Mráz |
c9833c |
--- openssh-4.7p1/auth-pam.c.pam-session 2007-08-10 06:32:34.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
+++ openssh-4.7p1/auth-pam.c 2007-09-06 17:37:46.000000000 +0200
|
|
Tomáš Mráz |
c9833c |
@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss
|
|
Tomáš Mráz |
c9833c |
void
|
|
Tomáš Mráz |
c9833c |
sshpam_cleanup(void)
|
|
Tomáš Mráz |
c9833c |
{
|
|
Tomáš Mráz |
c9833c |
- debug("PAM: cleanup");
|
|
Tomáš Mráz |
c9833c |
- if (sshpam_handle == NULL)
|
|
Tomáš Mráz |
c9833c |
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
|
|
Tomáš Mráz |
c9833c |
return;
|
|
Tomáš Mráz |
c9833c |
+ debug("PAM: cleanup");
|
|
Tomáš Mráz |
c9833c |
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
|
Tomáš Mráz |
c9833c |
if (sshpam_cred_established) {
|
|
Tomáš Mráz |
c9833c |
+ debug("PAM: deleting credentials");
|
|
Tomáš Mráz |
c9833c |
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
|
Tomáš Mráz |
c9833c |
sshpam_cred_established = 0;
|
|
Tomáš Mráz |
c9833c |
}
|
|
Tomáš Mráz |
c9833c |
if (sshpam_session_open) {
|
|
Tomáš Mráz |
c9833c |
+ debug("PAM: closing session");
|
|
Tomáš Mráz |
c9833c |
pam_close_session(sshpam_handle, PAM_SILENT);
|
|
Tomáš Mráz |
c9833c |
sshpam_session_open = 0;
|
|
Tomáš Mráz |
c9833c |
}
|