918 – ssh_gssapi_storecreds called to late to be usable by PAM in sesion.c

Bug 918 - ssh_gssapi_storecreds called to late to be usable by PAM in sesion.c

Summary: ssh_gssapi_storecreds called to late to be usable by PAM in sesion.c

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	PAM support (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:	914
	Show dependency tree / graph

Reported:	2004-08-24 00:36 AEST by Doug Engert
Modified:	2005-03-10 09:07 AEDT (History)
CC List:	0 users

See Also:

Attachments
move call to ssh_gssapi_storecreds in session.c before call to PAM (902 bytes, patch) 2004-08-24 00:39 AEST, Doug Engert	no flags	Details \| Diff
Fix tabbage. (1.22 KB, patch) 2004-09-11 20:16 AEST, Darren Tucker	dtucker: ok+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Doug Engert 2004-08-24 00:36:21 AEST

The gss-serv-krb5.c will call do_pam_putenv to set the KRB5CCNAME 
so it can be used by a PAM routine. But the call to ssh_gssapi_storecreds
is called from do_exec which is way to late to be usable by
do_pam_session or do_pam_setcred. Suggestion is to move the 
call.

Comment 1 Doug Engert 2004-08-24 00:39:48 AEST

Created attachment 701 [details]
move call to ssh_gssapi_storecreds in session.c before call to PAM

Comment 2 Damien Miller 2004-09-11 19:09:34 AEST

I don't understand: ssh_gssapi_storecreds() is currently called in do_exec().
The flow then goes do_exec()->do_exec_pty()->do_child()->do_setusercontext(). 

The PAM calls happen in do_setusercontext() and ssh_gssapi_storecreds() has
therefore already been called. What am I missing?

Comment 3 Darren Tucker 2004-09-11 20:02:16 AEST

sshd.c calls do_setusercontext() to set up the post-auth privsep credentials,
and do_setusercontext has the pam_setcred() calls.  The second call to
do_setusercontext in session.c is a no-op for the privsep case (ie if uid != 0
&& euid != 0).

I whacked some debugs in at the #ifdef GSSAPI points and gssapi_storecreds(),
the interesting bits are:

debug3: PAM: opening session
debug2: User child is on pid 5313
debug3: mm_request_receive entering
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 500/500
[...]
debug3: GSSAPI: ssh_gssapi_storecreds()
debug1: PAM: setting PAM_TTY to "/dev/pts/2"

Comment 4 Darren Tucker 2004-09-11 20:14:45 AEST

Comment on attachment 701 [details]
move call to ssh_gssapi_storecreds in session.c before call to PAM

>+#ifdef GSSAPI
>+	if (options.gss_authentication) {
>+		temporarily_use_uid(pw);
>+		ssh_gssapi_storecreds();
>+		restore_uid();
>+	}
>+#endif

BTW, the indenting is wrong (should be two tabs) and that's a bit misleading. 
Why is it called twice?  (I'm guessing for the same reason PAM is: to
re-establish supplemental groups, eg a PAG).

Comment 5 Darren Tucker 2004-09-11 20:16:34 AEST

Created attachment 713 [details]
Fix tabbage.

Comment 6 Darren Tucker 2004-09-11 20:17:45 AEST

Comment on attachment 713 [details]
Fix tabbage.

FWIW this seems OK to me, assuming there's a good reason for calling it twice.

Comment 7 Damien Miller 2004-09-11 20:25:27 AEST

I think it is there twice for the HAVE_LOGIN_CAP case.

Comment 8 Darren Tucker 2004-09-11 20:37:04 AEST

Ah, yes, that would be it.  One of these days I'll learn to read the ifdefs
properly...

Comment 9 Darren Tucker 2005-02-16 16:48:27 AEDT

Applied, thanks.

Comment 10 Darren Tucker 2005-03-10 09:07:03 AEDT

With the release of OpenSSH 4.0, these bugs are now closed. For details, see:
http://www.openssh.com/txt/release-4.0