Bug 1534 - openssh calls pam functions in the wrong order on logout
Summary: openssh calls pam functions in the wrong order on logout
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 5.1p1
Hardware: Other Linux
: P2 major
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-27 22:41 AEDT by Anicka Bernathova
Modified: 2009-10-06 15:03 AEDT (History)
2 users (show)

See Also:

Attachments
openssh pam fix for calling functions in the right order on logout (855 bytes, patch)
2008-10-27 22:41 AEDT, Anicka Bernathova 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Anicka Bernathova 2008-10-27 22:41:04 AEDT 
Created attachment 1577 [details]
openssh pam fix for calling functions in the right order on logout

Copied from original bugreport by Andreas Schwab in Novell bugzilla:

openssh calls the pam functions on logout in the wrong order.

pam_setcred with the DELETE_CRED flag is called before pam_close_session is called.

This means that e.g. a kerberos aware module can't use the kerberos credentials cache to close it's session, cause the tickets are already gone.

pam_setcred with DELETE_CRED should be called after pam_close_session.

See attached patch.
Comment 1 Andreas Schneider 2009-06-15 20:43:14 AEST 
I've created the patch last year. This is really a annoying bug if you're relying on kerberos and it doesn't work.
Comment 2 Darren Tucker 2009-07-12 22:12:00 AEST 
Patch applied, thanks.

I will point out that the order these functions are supposed to be called is not specified in either the original PAM spec or XSSO, and the man pages on different platforms give conflicting advice, so there's a decent chance this will break something else.
Comment 3 Damien Miller 2009-10-06 15:03:20 AEDT 
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.