From b20efed7e18fbea37a87c944786869628add86b7 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Aug 01 2013 07:35:58 +0000 Subject: gssapi credentials need to be stored before a pam session opened (#987792) --- diff --git a/openssh-6.2p1-gsskex.patch b/openssh-6.2p1-gsskex.patch index d6f0810..f1fe8d1 100644 --- a/openssh-6.2p1-gsskex.patch +++ b/openssh-6.2p1-gsskex.patch @@ -2846,35 +2846,6 @@ diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2139,14 +2200,6 @@ main(int ac, char **av) - #ifdef SSH_AUDIT_EVENTS - audit_event(SSH_AUTH_SUCCESS); - #endif -- --#ifdef GSSAPI -- if (options.gss_authentication) { -- temporarily_use_uid(authctxt->pw); -- ssh_gssapi_storecreds(); -- restore_uid(); -- } --#endif - #ifdef WITH_SELINUX - ssh_selinux_setup_exec_context(authctxt->pw->pw_name); - #endif -@@ -2156,6 +2209,13 @@ main(int ac, char **av) - do_pam_session(); - } - #endif -+#ifdef GSSAPI -+ if (options.gss_authentication) { -+ temporarily_use_uid(authctxt->pw); -+ ssh_gssapi_storecreds(); -+ restore_uid(); -+ } -+#endif - - /* - * In privilege separation, we fork another child and prepare @@ -2466,6 +2526,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();