Attachment #1216 for bug #926




void
sshpam_cleanup(void)
{
	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
	if (sshpam_handle == NULL)
		return;
	debug("PAM: cleanup");
	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
	if (sshpam_cred_established) {
		debug("PAM: deleting credentials");
		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
		sshpam_cred_established = 0;
	}
	if (sshpam_session_open) {
		debug("PAM: closing session");
		pam_close_session(sshpam_handle, PAM_SILENT);
		sshpam_session_open = 0;
	}




	audit_event(SSH_AUTH_SUCCESS);
#endif

#ifdef GSSAPI
	if (options.gss_authentication) {
		temporarily_use_uid(authctxt->pw);
		ssh_gssapi_storecreds();
		restore_uid();
	}
#endif
#ifdef USE_PAM
	if (options.use_pam) {
		do_pam_setcred(1);
		do_pam_session();
	}
#endif

 	/*
	 * In privilege separation, we fork another child and prepare
	 * file descriptor passing.
	 */

Lines 1539-1544 Link Here

(-)openssh-4.3p2/monitor.c.pam-session (+5 lines)
1539	/* The child is terminating */	1539	/* The child is terminating */
1540	session_destroy_all(&mm_session_close);	1540	session_destroy_all(&mm_session_close);
1541		1541
		1542	#ifdef USE_PAM
		1543	if (options.use_pam)
		1544	sshpam_cleanup();
		1545	#endif
		1546
1542	while (waitpid(pmonitor->m_pid, &status, 0) == -1)	1547	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1543	if (errno != EINTR)	1548	if (errno != EINTR)
1544	exit(1);	1549	exit(1);





	session_proctitle(s);

#if defined(USE_PAM)
	if (options.use_pam && !use_privsep)
		do_pam_setcred(1);
#endif /* USE_PAM */

	/* Fork the child. */
	if ((pid = fork()) == 0) {
		is_child = 1;

	ptyfd = s->ptyfd;
	ttyfd = s->ttyfd;

#if defined(USE_PAM)
	if (options.use_pam) {
		do_pam_set_tty(s->tty);
		if (!use_privsep)
			do_pam_setcred(1);
	}
#endif

	/* Fork the child. */
	if ((pid = fork()) == 0) {
		is_child = 1;

# ifdef __bsdi__
		setpgid(0, 0);
# endif
#ifdef GSSAPI
		if (options.gss_authentication) {
			temporarily_use_uid(pw);
			ssh_gssapi_storecreds();
			restore_uid();
		}
#endif
# ifdef USE_PAM
		if (options.use_pam) {
			do_pam_session();
			do_pam_setcred(0);
		}
# endif /* USE_PAM */

			exit(1);
		}
		endgrent();
#ifdef GSSAPI
		if (options.gss_authentication) {
			temporarily_use_uid(pw);
			ssh_gssapi_storecreds();
			restore_uid();
		}
#endif
# ifdef USE_PAM
		/*
		 * PAM credentials may take the form of supplementary groups.

		 * Reestablish them here.
		 */
		if (options.use_pam) {
			do_pam_session();
			do_pam_setcred(0);
		}
# endif /* USE_PAM */

Return to bug 926

Lines 563-577 Link Here

(-)openssh-4.3p2/auth-pam.c.pam-session (-2 / +4 lines)
563	void	563	void
564	sshpam_cleanup(void)	564	sshpam_cleanup(void)
565	{	565	{
566	debug("PAM: cleanup");	566	if (sshpam_handle == NULL \|\| (use_privsep && !mm_is_monitor()))
567	if (sshpam_handle == NULL)
568	return;	567	return;
		568	debug("PAM: cleanup");
569	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);	569	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
570	if (sshpam_cred_established) {	570	if (sshpam_cred_established) {
		571	debug("PAM: deleting credentials");
571	pam_setcred(sshpam_handle, PAM_DELETE_CRED);	572	pam_setcred(sshpam_handle, PAM_DELETE_CRED);
572	sshpam_cred_established = 0;	573	sshpam_cred_established = 0;
573	}	574	}
574	if (sshpam_session_open) {	575	if (sshpam_session_open) {
		576	debug("PAM: closing session");
575	pam_close_session(sshpam_handle, PAM_SILENT);	577	pam_close_session(sshpam_handle, PAM_SILENT);
576	sshpam_session_open = 0;	578	sshpam_session_open = 0;
577	}	579	}

Lines 1745-1751 Link Here

(-)openssh-4.3p2/sshd.c.pam-session (-1 / +15 lines)
1745	audit_event(SSH_AUTH_SUCCESS);	1745	audit_event(SSH_AUTH_SUCCESS);
1746	#endif	1746	#endif
1747		1747
1748	/*	1748	#ifdef GSSAPI
		1749	if (options.gss_authentication) {
		1750	temporarily_use_uid(authctxt->pw);
		1751	ssh_gssapi_storecreds();
		1752	restore_uid();
		1753	}
		1754	#endif
		1755	#ifdef USE_PAM
		1756	if (options.use_pam) {
		1757	do_pam_setcred(1);
		1758	do_pam_session();
		1759	}
		1760	#endif
		1761
		1762	/*
1749	* In privilege separation, we fork another child and prepare	1763	* In privilege separation, we fork another child and prepare
1750	* file descriptor passing.	1764	* file descriptor passing.
1751	*/	1765	*/

Lines 395-405 Link Here

(-)openssh-4.3p2/session.c.pam-session (-29 lines)
395		395
396	session_proctitle(s);	396	session_proctitle(s);
397		397
398	#if defined(USE_PAM)
399	if (options.use_pam && !use_privsep)
400	do_pam_setcred(1);
401	#endif /* USE_PAM */
402
403	/* Fork the child. */	398	/* Fork the child. */
404	if ((pid = fork()) == 0) {	399	if ((pid = fork()) == 0) {
405	is_child = 1;	400	is_child = 1;
Lines 530-543 Link Here
530	ptyfd = s->ptyfd;	525	ptyfd = s->ptyfd;
531	ttyfd = s->ttyfd;	526	ttyfd = s->ttyfd;
532		527
533	#if defined(USE_PAM)
534	if (options.use_pam) {
535	do_pam_set_tty(s->tty);
536	if (!use_privsep)
537	do_pam_setcred(1);
538	}
539	#endif
540
541	/* Fork the child. */	528	/* Fork the child. */
542	if ((pid = fork()) == 0) {	529	if ((pid = fork()) == 0) {
543	is_child = 1;	530	is_child = 1;
Lines 1266-1281 Link Here
1266	# ifdef __bsdi__	1253	# ifdef __bsdi__
1267	setpgid(0, 0);	1254	setpgid(0, 0);
1268	# endif	1255	# endif
1269	#ifdef GSSAPI
1270	if (options.gss_authentication) {
1271	temporarily_use_uid(pw);
1272	ssh_gssapi_storecreds();
1273	restore_uid();
1274	}
1275	#endif
1276	# ifdef USE_PAM	1256	# ifdef USE_PAM
1277	if (options.use_pam) {	1257	if (options.use_pam) {
1278	do_pam_session();
1279	do_pam_setcred(0);	1258	do_pam_setcred(0);
1280	}	1259	}
1281	# endif /* USE_PAM */	1260	# endif /* USE_PAM */
Lines 1303-1315 Link Here
1303	exit(1);	1282	exit(1);
1304	}	1283	}
1305	endgrent();	1284	endgrent();
1306	#ifdef GSSAPI
1307	if (options.gss_authentication) {
1308	temporarily_use_uid(pw);
1309	ssh_gssapi_storecreds();
1310	restore_uid();
1311	}
1312	#endif
1313	# ifdef USE_PAM	1285	# ifdef USE_PAM
1314	/*	1286	/*
1315	* PAM credentials may take the form of supplementary groups.	1287	* PAM credentials may take the form of supplementary groups.
Lines 1317-1323 Link Here
1317	* Reestablish them here.	1289	* Reestablish them here.
1318	*/	1290	*/
1319	if (options.use_pam) {	1291	if (options.use_pam) {
1320	do_pam_session();
1321	do_pam_setcred(0);	1292	do_pam_setcred(0);
1322	}	1293	}
1323	# endif /* USE_PAM */	1294	# endif /* USE_PAM */