Bugzilla – Attachment 1472 Details for
Bug 926
pam_session_close called as user or not at all
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
PAM session in monitor.
openssh-pam_session_in_monitor.patch (text/plain), 3.89 KB, created by
Darren Tucker
on 2008-03-09 22:18:47 AEDT
(
hide
)
Description:
PAM session in monitor.
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2008-03-09 22:18:47 AEDT
Size:
3.89 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/auth-pam.c,v >retrieving revision 1.144 >diff -u -p -r1.144 auth-pam.c >--- auth-pam.c 10 Aug 2007 04:32:34 -0000 1.144 >+++ auth-pam.c 9 Mar 2008 10:51:49 -0000 >@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss > void > sshpam_cleanup(void) > { >- debug("PAM: cleanup"); >- if (sshpam_handle == NULL) >+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) > return; >+ debug("PAM: cleanup"); > pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); > if (sshpam_cred_established) { >+ debug("PAM: deleting credentials"); > pam_setcred(sshpam_handle, PAM_DELETE_CRED); > sshpam_cred_established = 0; > } > if (sshpam_session_open) { >+ debug("PAM: closing session"); > pam_close_session(sshpam_handle, PAM_SILENT); > sshpam_session_open = 0; > } >Index: monitor.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v >retrieving revision 1.126 >diff -u -p -r1.126 monitor.c >--- monitor.c 2 Dec 2007 12:02:15 -0000 1.126 >+++ monitor.c 9 Mar 2008 10:51:49 -0000 >@@ -1547,6 +1547,11 @@ mm_answer_term(int sock, Buffer *req) > /* The child is terminating */ > session_destroy_all(&mm_session_close); > >+#ifdef USE_PAM >+ if (options.use_pam) >+ sshpam_cleanup(); >+#endif >+ > while (waitpid(pmonitor->m_pid, &status, 0) == -1) > if (errno != EINTR) > exit(1); >Index: session.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v >retrieving revision 1.362 >diff -u -p -r1.362 session.c >--- session.c 7 Mar 2008 07:33:12 -0000 1.362 >+++ session.c 9 Mar 2008 10:54:29 -0000 >@@ -428,11 +428,6 @@ do_exec_no_pty(Session *s, const char *c > > session_proctitle(s); > >-#if defined(USE_PAM) >- if (options.use_pam && !use_privsep) >- do_pam_setcred(1); >-#endif /* USE_PAM */ >- > /* Fork the child. */ > if ((pid = fork()) == 0) { > is_child = 1; >@@ -563,14 +558,6 @@ do_exec_pty(Session *s, const char *comm > ptyfd = s->ptyfd; > ttyfd = s->ttyfd; > >-#if defined(USE_PAM) >- if (options.use_pam) { >- do_pam_set_tty(s->tty); >- if (!use_privsep) >- do_pam_setcred(1); >- } >-#endif >- > /* Fork the child. */ > if ((pid = fork()) == 0) { > is_child = 1; >@@ -1373,16 +1360,8 @@ do_setusercontext(struct passwd *pw) > # ifdef __bsdi__ > setpgid(0, 0); > # endif >-#ifdef GSSAPI >- if (options.gss_authentication) { >- temporarily_use_uid(pw); >- ssh_gssapi_storecreds(); >- restore_uid(); >- } >-#endif > # ifdef USE_PAM > if (options.use_pam) { >- do_pam_session(); > do_pam_setcred(use_privsep); > } > # endif /* USE_PAM */ >@@ -1410,13 +1389,6 @@ do_setusercontext(struct passwd *pw) > exit(1); > } > endgrent(); >-# ifdef GSSAPI >- if (options.gss_authentication) { >- temporarily_use_uid(pw); >- ssh_gssapi_storecreds(); >- restore_uid(); >- } >-# endif > # ifdef USE_PAM > /* > * PAM credentials may take the form of supplementary groups. >@@ -1424,7 +1396,6 @@ do_setusercontext(struct passwd *pw) > * Reestablish them here. > */ > if (options.use_pam) { >- do_pam_session(); > do_pam_setcred(use_privsep); > } > # endif /* USE_PAM */ >Index: sshd.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/sshd.c,v >retrieving revision 1.371 >diff -u -p -r1.371 sshd.c >--- sshd.c 7 Mar 2008 07:31:47 -0000 1.371 >+++ sshd.c 9 Mar 2008 11:01:40 -0000 >@@ -1847,6 +1847,20 @@ main(int ac, char **av) > audit_event(SSH_AUTH_SUCCESS); > #endif > >+#ifdef GSSAPI >+ if (options.gss_authentication) { >+ temporarily_use_uid(authctxt->pw); >+ ssh_gssapi_storecreds(); >+ restore_uid(); >+ } >+#endif >+#ifdef USE_PAM >+ if (options.use_pam) { >+ do_pam_setcred(1); >+ do_pam_session(); >+ } >+#endif >+ > /* > * In privilege separation, we fork another child and prepare > * file descriptor passing.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1472">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 926
:
709
|
1143
|
1216
| 1472