vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Blob Blame History Raw
--- openssh-4.3p2/auth-pam.c.pam-session	2006-11-27 17:39:08.000000000 +0100
+++ openssh-4.3p2/auth-pam.c	2006-11-27 19:31:41.000000000 +0100
@@ -563,15 +563,17 @@
 void
 sshpam_cleanup(void)
 {
-	debug("PAM: cleanup");
-	if (sshpam_handle == NULL)
+	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
 		return;
+	debug("PAM: cleanup");
 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
 	if (sshpam_cred_established) {
+		debug("PAM: deleting credentials");
 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
 		sshpam_cred_established = 0;
 	}
 	if (sshpam_session_open) {
+		debug("PAM: closing session");
 		pam_close_session(sshpam_handle, PAM_SILENT);
 		sshpam_session_open = 0;
 	}
--- openssh-4.3p2/sshd.c.pam-session	2006-11-27 17:29:44.000000000 +0100
+++ openssh-4.3p2/sshd.c	2006-11-28 21:21:52.000000000 +0100
@@ -1745,7 +1745,21 @@
 	audit_event(SSH_AUTH_SUCCESS);
 #endif
 
-	/*
+#ifdef GSSAPI
+	if (options.gss_authentication) {
+		temporarily_use_uid(authctxt->pw);
+		ssh_gssapi_storecreds();
+		restore_uid();
+	}
+#endif
+#ifdef USE_PAM
+	if (options.use_pam) {
+		do_pam_setcred(1);
+		do_pam_session();
+	}
+#endif
+
+ 	/*
 	 * In privilege separation, we fork another child and prepare
 	 * file descriptor passing.
 	 */
--- openssh-4.3p2/monitor.c.pam-session	2006-11-27 17:29:44.000000000 +0100
+++ openssh-4.3p2/monitor.c	2006-11-28 14:01:23.000000000 +0100
@@ -1539,6 +1539,11 @@
 	/* The child is terminating */
 	session_destroy_all(&mm_session_close);
 
+#ifdef USE_PAM
+	if (options.use_pam)
+		sshpam_cleanup();
+#endif
+
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
--- openssh-4.3p2/session.c.pam-session	2006-11-27 17:29:43.000000000 +0100
+++ openssh-4.3p2/session.c	2006-11-28 21:17:56.000000000 +0100
@@ -395,11 +395,6 @@
 
 	session_proctitle(s);
 
-#if defined(USE_PAM)
-	if (options.use_pam && !use_privsep)
-		do_pam_setcred(1);
-#endif /* USE_PAM */
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		is_child = 1;
@@ -530,14 +525,6 @@
 	ptyfd = s->ptyfd;
 	ttyfd = s->ttyfd;
 
-#if defined(USE_PAM)
-	if (options.use_pam) {
-		do_pam_set_tty(s->tty);
-		if (!use_privsep)
-			do_pam_setcred(1);
-	}
-#endif
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		is_child = 1;
@@ -1266,16 +1253,8 @@
 # ifdef __bsdi__
 		setpgid(0, 0);
 # endif
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
 # ifdef USE_PAM
 		if (options.use_pam) {
-			do_pam_session();
 			do_pam_setcred(0);
 		}
 # endif /* USE_PAM */
@@ -1303,13 +1282,6 @@
 			exit(1);
 		}
 		endgrent();
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.
@@ -1317,7 +1289,6 @@
 		 * Reestablish them here.
 		 */
 		if (options.use_pam) {
-			do_pam_session();
 			do_pam_setcred(0);
 		}
 # endif /* USE_PAM */