Bug 918

Summary: ssh_gssapi_storecreds called to late to be usable by PAM in sesion.c
Product: Portable OpenSSH Reporter: Doug Engert <deengert>
Component: PAM supportAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 914    
Attachments:
Description Flags
move call to ssh_gssapi_storecreds in session.c before call to PAM
none
Fix tabbage. dtucker: ok+

Description Doug Engert 2004-08-24 00:36:21 AEST 
The gss-serv-krb5.c will call do_pam_putenv to set the KRB5CCNAME 
so it can be used by a PAM routine. But the call to ssh_gssapi_storecreds
is called from do_exec which is way to late to be usable by
do_pam_session or do_pam_setcred. Suggestion is to move the 
call.
Comment 1 Doug Engert 2004-08-24 00:39:48 AEST 
Created attachment 701 [details]
move call to ssh_gssapi_storecreds in session.c before call to PAM
Comment 2 Damien Miller 2004-09-11 19:09:34 AEST 
I don't understand: ssh_gssapi_storecreds() is currently called in do_exec().
The flow then goes do_exec()->do_exec_pty()->do_child()->do_setusercontext(). 

The PAM calls happen in do_setusercontext() and ssh_gssapi_storecreds() has
therefore already been called. What am I missing?
Comment 3 Darren Tucker 2004-09-11 20:02:16 AEST 
sshd.c calls do_setusercontext() to set up the post-auth privsep credentials,
and do_setusercontext has the pam_setcred() calls.  The second call to
do_setusercontext in session.c is a no-op for the privsep case (ie if uid != 0
&& euid != 0).

I whacked some debugs in at the #ifdef GSSAPI points and gssapi_storecreds(),
the interesting bits are:

debug3: PAM: opening session
debug2: User child is on pid 5313
debug3: mm_request_receive entering
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 500/500
[...]
debug3: GSSAPI: ssh_gssapi_storecreds()
debug1: PAM: setting PAM_TTY to "/dev/pts/2"
Comment 4 Darren Tucker 2004-09-11 20:14:45 AEST 
Comment on attachment 701 [details]
move call to ssh_gssapi_storecreds in session.c before call to PAM

>+#ifdef GSSAPI
>+	if (options.gss_authentication) {
>+		temporarily_use_uid(pw);
>+		ssh_gssapi_storecreds();
>+		restore_uid();
>+	}
>+#endif

BTW, the indenting is wrong (should be two tabs) and that's a bit misleading. 
Why is it called twice?  (I'm guessing for the same reason PAM is: to
re-establish supplemental groups, eg a PAG).
Comment 5 Darren Tucker 2004-09-11 20:16:34 AEST 
Created attachment 713 [details]
Fix tabbage.
Comment 6 Darren Tucker 2004-09-11 20:17:45 AEST 
Comment on attachment 713 [details]
Fix tabbage.

FWIW this seems OK to me, assuming there's a good reason for calling it twice.
Comment 7 Damien Miller 2004-09-11 20:25:27 AEST 
I think it is there twice for the HAVE_LOGIN_CAP case.
Comment 8 Darren Tucker 2004-09-11 20:37:04 AEST 
Ah, yes, that would be it.  One of these days I'll learn to read the ifdefs
properly...
Comment 9 Darren Tucker 2005-02-16 16:48:27 AEDT 
Applied, thanks.
Comment 10 Darren Tucker 2005-03-10 09:07:03 AEDT 
With the release of OpenSSH 4.0, these bugs are now closed. For details, see:
http://www.openssh.com/txt/release-4.0