Attachment #1143 for bug #926




void
sshpam_cleanup(void)
{
	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
	if (sshpam_handle == NULL)
		return;
	debug("PAM: cleanup");
	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
	if (sshpam_cred_established) {
		debug("PAM: deleting credentials");
		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
		sshpam_cred_established = 0;
	}
	if (sshpam_session_open) {
		debug("PAM: closing session");
		pam_close_session(sshpam_handle, PAM_SILENT);
		sshpam_session_open = 0;
	}

Lines 354-359 monitor_child_preauth(Authctxt *_authctx Link Here

(-)monitor.c (+9 lines)
354	MONITOR_REQ_PAM_ACCOUNT, &m);	354	MONITOR_REQ_PAM_ACCOUNT, &m);
355	authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);	355	authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
356	buffer_free(&m);	356	buffer_free(&m);
		357	if (authenticated) {
		358	do_pam_session();
		359	do_pam_setcred(0);
		360	}
357	}	361	}
358	#endif	362	#endif
359	}	363	}
Lines 1531-1536 mm_answer_term(int sock, Buffer *req) Link Here
1531	/* The child is terminating */	1535	/* The child is terminating */
1532	session_destroy_all(&mm_session_close);	1536	session_destroy_all(&mm_session_close);
1533		1537
		1538	#ifdef USE_PAM
		1539	if (options.use_pam)
		1540	sshpam_cleanup();
		1541	#endif
		1542
1534	while (waitpid(pmonitor->m_pid, &status, 0) == -1)	1543	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1535	if (errno != EINTR)	1544	if (errno != EINTR)
1536	exit(1);	1545	exit(1);




	ttyfd = s->ttyfd;

#if defined(USE_PAM)
	if (options.use_pam && !use_privsep) {
		do_pam_set_tty(s->tty);
		if (!use_privsep)
			do_pam_setcred(1);

		}
#endif
# ifdef USE_PAM
		if (options.use_pam && !use_privsep) {
			do_pam_session();
			do_pam_setcred(0);
		}

		 * These will have been wiped by the above initgroups() call.
		 * Reestablish them here.
		 */
		if (options.use_pam && !use_privsep) {
			do_pam_session();
			do_pam_setcred(0);
		}

Return to bug 926

Lines 573-587 static struct pam_conv store_conv = { ss Link Here

(-)auth-pam.c (-2 / +4 lines)
573	void	573	void
574	sshpam_cleanup(void)	574	sshpam_cleanup(void)
575	{	575	{
576	debug("PAM: cleanup");	576	if (sshpam_handle == NULL \|\| (use_privsep && !mm_is_monitor()))
577	if (sshpam_handle == NULL)
578	return;	577	return;
		578	debug("PAM: cleanup");
579	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);	579	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
580	if (sshpam_cred_established) {	580	if (sshpam_cred_established) {
		581	debug("PAM: deleting credentials");
581	pam_setcred(sshpam_handle, PAM_DELETE_CRED);	582	pam_setcred(sshpam_handle, PAM_DELETE_CRED);
582	sshpam_cred_established = 0;	583	sshpam_cred_established = 0;
583	}	584	}
584	if (sshpam_session_open) {	585	if (sshpam_session_open) {
		586	debug("PAM: closing session");
585	pam_close_session(sshpam_handle, PAM_SILENT);	587	pam_close_session(sshpam_handle, PAM_SILENT);
586	sshpam_session_open = 0;	588	sshpam_session_open = 0;
587	}	589	}

Lines 541-547 do_exec_pty(Session s, const char comm Link Here

(-)session.c (-3 / +3 lines)
541	ttyfd = s->ttyfd;	541	ttyfd = s->ttyfd;
542		542
543	#if defined(USE_PAM)	543	#if defined(USE_PAM)
544	if (options.use_pam) {	544	if (options.use_pam && !use_privsep) {
545	do_pam_set_tty(s->tty);	545	do_pam_set_tty(s->tty);
546	if (!use_privsep)	546	if (!use_privsep)
547	do_pam_setcred(1);	547	do_pam_setcred(1);
Lines 1284-1290 do_setusercontext(struct passwd *pw) Link Here
1284	}	1284	}
1285	#endif	1285	#endif
1286	# ifdef USE_PAM	1286	# ifdef USE_PAM
1287	if (options.use_pam) {	1287	if (options.use_pam && !use_privsep) {
1288	do_pam_session();	1288	do_pam_session();
1289	do_pam_setcred(0);	1289	do_pam_setcred(0);
1290	}	1290	}
Lines 1326-1332 do_setusercontext(struct passwd *pw) Link Here
1326	* These will have been wiped by the above initgroups() call.	1326	* These will have been wiped by the above initgroups() call.
1327	* Reestablish them here.	1327	* Reestablish them here.
1328	*/	1328	*/
1329	if (options.use_pam) {	1329	if (options.use_pam && !use_privsep) {
1330	do_pam_session();	1330	do_pam_session();
1331	do_pam_setcred(0);	1331	do_pam_setcred(0);
1332	}	1332	}