| Summary: | openssh calls pam functions in the wrong order on logout | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Anicka Bernathova <anicka> | ||||
| Component: | PAM support | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | major | CC: | dtucker, mail | ||||
| Priority: | P2 | ||||||
| Version: | 5.1p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| Attachments: |
|
||||||
I've created the patch last year. This is really a annoying bug if you're relying on kerberos and it doesn't work. Patch applied, thanks. I will point out that the order these functions are supposed to be called is not specified in either the original PAM spec or XSSO, and the man pages on different platforms give conflicting advice, so there's a decent chance this will break something else. Mass move of RESOLVED bugs to CLOSED now that 5.3 is out. |
Created attachment 1577 [details] openssh pam fix for calling functions in the right order on logout Copied from original bugreport by Andreas Schwab in Novell bugzilla: openssh calls the pam functions on logout in the wrong order. pam_setcred with the DELETE_CRED flag is called before pam_close_session is called. This means that e.g. a kerberos aware module can't use the kerberos credentials cache to close it's session, cause the tickets are already gone. pam_setcred with DELETE_CRED should be called after pam_close_session. See attached patch.