[Bug 926] pam_session_close called as user or not at all

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun May 22 11:03:08 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=926


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|994                         |
              nThis|                            |




------- Additional Comments From dtucker at zip.com.au  2005-05-22 11:03 -------
I've been thinking about this.  It's too late for 4.1p1, but I think the right
way to fix this is to split up the do_pam_setcred() and do_pam_session() calls,
and hook the do_pam_session calls into the login/logout recording in loginrec.c
(to be called from the monitor).  The existing loginmsg handling would allow any
messages returned by PAM to be sent to the user.

This would allow per-session login recording and would allow the
pam_session_close to be called from the same process as the pam_session_open. 
It would mean that pam_session_open() would not be called be pam_setcred (since
in privsep we switch to the real user very early).  I'm not sure if that's going
to be a problem or not.

Comments (esp. from PAM folks) welcome.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list