Attachment #1472 for bug #926




void
sshpam_cleanup(void)
{
	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
	if (sshpam_handle == NULL)
		return;
	debug("PAM: cleanup");
	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
	if (sshpam_cred_established) {
		debug("PAM: deleting credentials");
		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
		sshpam_cred_established = 0;
	}
	if (sshpam_session_open) {
		debug("PAM: closing session");
		pam_close_session(sshpam_handle, PAM_SILENT);
		sshpam_session_open = 0;
	}

Lines 1547-1552 mm_answer_term(int sock, Buffer *req) Link Here

(-)monitor.c (+5 lines)
1547	/* The child is terminating */	1547	/* The child is terminating */
1548	session_destroy_all(&mm_session_close);	1548	session_destroy_all(&mm_session_close);
1549		1549
		1550	#ifdef USE_PAM
		1551	if (options.use_pam)
		1552	sshpam_cleanup();
		1553	#endif
		1554
1550	while (waitpid(pmonitor->m_pid, &status, 0) == -1)	1555	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1551	if (errno != EINTR)	1556	if (errno != EINTR)
1552	exit(1);	1557	exit(1);





	session_proctitle(s);

#if defined(USE_PAM)
	if (options.use_pam && !use_privsep)
		do_pam_setcred(1);
#endif /* USE_PAM */

	/* Fork the child. */
	if ((pid = fork()) == 0) {
		is_child = 1;

	ptyfd = s->ptyfd;
	ttyfd = s->ttyfd;

#if defined(USE_PAM)
	if (options.use_pam) {
		do_pam_set_tty(s->tty);
		if (!use_privsep)
			do_pam_setcred(1);
	}
#endif

	/* Fork the child. */
	if ((pid = fork()) == 0) {
		is_child = 1;

# ifdef __bsdi__
		setpgid(0, 0);
# endif
#ifdef GSSAPI
		if (options.gss_authentication) {
			temporarily_use_uid(pw);
			ssh_gssapi_storecreds();
			restore_uid();
		}
#endif
# ifdef USE_PAM
		if (options.use_pam) {
			do_pam_session();
			do_pam_setcred(use_privsep);
		}
# endif /* USE_PAM */

			exit(1);
		}
		endgrent();
# ifdef GSSAPI
		if (options.gss_authentication) {
			temporarily_use_uid(pw);
			ssh_gssapi_storecreds();
			restore_uid();
		}
# endif
# ifdef USE_PAM
		/*
		 * PAM credentials may take the form of supplementary groups.

		 * Reestablish them here.
		 */
		if (options.use_pam) {
			do_pam_session();
			do_pam_setcred(use_privsep);
		}
# endif /* USE_PAM */




	audit_event(SSH_AUTH_SUCCESS);
#endif

#ifdef GSSAPI
	if (options.gss_authentication) {
		temporarily_use_uid(authctxt->pw);
		ssh_gssapi_storecreds();
		restore_uid();
	}
#endif
#ifdef USE_PAM
	if (options.use_pam) {
		do_pam_setcred(1);
		do_pam_session();
	}
#endif

	/*
	 * In privilege separation, we fork another child and prepare
	 * file descriptor passing.

Return to bug 926

Lines 598-612 static struct pam_conv store_conv = { ss Link Here

(-)auth-pam.c (-2 / +4 lines)
598	void	598	void
599	sshpam_cleanup(void)	599	sshpam_cleanup(void)
600	{	600	{
601	debug("PAM: cleanup");	601	if (sshpam_handle == NULL \|\| (use_privsep && !mm_is_monitor()))
602	if (sshpam_handle == NULL)
603	return;	602	return;
		603	debug("PAM: cleanup");
604	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);	604	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
605	if (sshpam_cred_established) {	605	if (sshpam_cred_established) {
		606	debug("PAM: deleting credentials");
606	pam_setcred(sshpam_handle, PAM_DELETE_CRED);	607	pam_setcred(sshpam_handle, PAM_DELETE_CRED);
607	sshpam_cred_established = 0;	608	sshpam_cred_established = 0;
608	}	609	}
609	if (sshpam_session_open) {	610	if (sshpam_session_open) {
		611	debug("PAM: closing session");
610	pam_close_session(sshpam_handle, PAM_SILENT);	612	pam_close_session(sshpam_handle, PAM_SILENT);
611	sshpam_session_open = 0;	613	sshpam_session_open = 0;
612	}	614	}

Lines 428-438 do_exec_no_pty(Session s, const char c Link Here

(-)session.c (-29 lines)
428		428
429	session_proctitle(s);	429	session_proctitle(s);
430		430
431	#if defined(USE_PAM)
432	if (options.use_pam && !use_privsep)
433	do_pam_setcred(1);
434	#endif /* USE_PAM */
435
436	/* Fork the child. */	431	/* Fork the child. */
437	if ((pid = fork()) == 0) {	432	if ((pid = fork()) == 0) {
438	is_child = 1;	433	is_child = 1;
Lines 563-576 do_exec_pty(Session s, const char comm Link Here
563	ptyfd = s->ptyfd;	558	ptyfd = s->ptyfd;
564	ttyfd = s->ttyfd;	559	ttyfd = s->ttyfd;
565		560
566	#if defined(USE_PAM)
567	if (options.use_pam) {
568	do_pam_set_tty(s->tty);
569	if (!use_privsep)
570	do_pam_setcred(1);
571	}
572	#endif
573
574	/* Fork the child. */	561	/* Fork the child. */
575	if ((pid = fork()) == 0) {	562	if ((pid = fork()) == 0) {
576	is_child = 1;	563	is_child = 1;
Lines 1373-1388 do_setusercontext(struct passwd *pw) Link Here
1373	# ifdef __bsdi__	1360	# ifdef __bsdi__
1374	setpgid(0, 0);	1361	setpgid(0, 0);
1375	# endif	1362	# endif
1376	#ifdef GSSAPI
1377	if (options.gss_authentication) {
1378	temporarily_use_uid(pw);
1379	ssh_gssapi_storecreds();
1380	restore_uid();
1381	}
1382	#endif
1383	# ifdef USE_PAM	1363	# ifdef USE_PAM
1384	if (options.use_pam) {	1364	if (options.use_pam) {
1385	do_pam_session();
1386	do_pam_setcred(use_privsep);	1365	do_pam_setcred(use_privsep);
1387	}	1366	}
1388	# endif /* USE_PAM */	1367	# endif /* USE_PAM */
Lines 1410-1422 do_setusercontext(struct passwd *pw) Link Here
1410	exit(1);	1389	exit(1);
1411	}	1390	}
1412	endgrent();	1391	endgrent();
1413	# ifdef GSSAPI
1414	if (options.gss_authentication) {
1415	temporarily_use_uid(pw);
1416	ssh_gssapi_storecreds();
1417	restore_uid();
1418	}
1419	# endif
1420	# ifdef USE_PAM	1392	# ifdef USE_PAM
1421	/*	1393	/*
1422	* PAM credentials may take the form of supplementary groups.	1394	* PAM credentials may take the form of supplementary groups.
Lines 1424-1430 do_setusercontext(struct passwd *pw) Link Here
1424	* Reestablish them here.	1396	* Reestablish them here.
1425	*/	1397	*/
1426	if (options.use_pam) {	1398	if (options.use_pam) {
1427	do_pam_session();
1428	do_pam_setcred(use_privsep);	1399	do_pam_setcred(use_privsep);
1429	}	1400	}
1430	# endif /* USE_PAM */	1401	# endif /* USE_PAM */

Lines 1847-1852 main(int ac, char **av) Link Here

(-)sshd.c (+14 lines)
1847	audit_event(SSH_AUTH_SUCCESS);	1847	audit_event(SSH_AUTH_SUCCESS);
1848	#endif	1848	#endif
1849		1849
		1850	#ifdef GSSAPI
		1851	if (options.gss_authentication) {
		1852	temporarily_use_uid(authctxt->pw);
		1853	ssh_gssapi_storecreds();
		1854	restore_uid();
		1855	}
		1856	#endif
		1857	#ifdef USE_PAM
		1858	if (options.use_pam) {
		1859	do_pam_setcred(1);
		1860	do_pam_session();
		1861	}
		1862	#endif
		1863
1850	/*	1864	/*
1851	* In privilege separation, we fork another child and prepare	1865	* In privilege separation, we fork another child and prepare
1852	* file descriptor passing.	1866	* file descriptor passing.