[PATCH] Tell PAM about remote host earlier

Andrew Bartlett abartlet at pcug.org.au
Mon Feb 12 08:52:29 EST 2001


Damien Miller wrote:
> 
> On Sat, 10 Feb 2001, Andrew Bartlett wrote:
> 
> > I was browsing the OpenSSH sources (which are very readable,
> > thankyou very much) and noticed that PAM was only being told what
> > host the user is logging in from for account processing - not for
> > password processing.  As I can see no reason not to put this in
> > start_pam this is exactly what I have done - and attached a patch to
> > this effect.
> >
> > This allows PAM to fill in rhost= in its audit messages (pam_unix),
> > and may in fact be used in some module, somewhere.
> 
> Applied - thanks.
> 
> -d
> 

I also noticed that OpenSSH 'closes' the session for users who don't
authenticate themselves successfully, creating misleading entries in the
logs (session closed for user abartlet) when abartlet never opened a
session.  This patch corrects the situation.

Hope its useful,
Andrew Bartlett

> --
> | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
> | http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
--- auth-pam.c.orig	Sat Feb 10 13:01:35 2001
+++ auth-pam.c	Sun Feb 11 23:40:59 2001
@@ -55,6 +55,10 @@
 /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
 static int password_change_required = 0;
 
+/* remember if we actualy set up a session, so we don't close 
+   as session we never opened */
+static int session_opened = 0;
+
 /*
  * PAM conversation function.
  * There are two states this can run in.
@@ -137,12 +141,13 @@
 
 	if (pamh != NULL)
 	{
+	  if (session_opened) {
 		pam_retval = pam_close_session(pamh, 0);
 		if (pam_retval != PAM_SUCCESS) {
 			log("Cannot close PAM session[%d]: %.200s", 
 				pam_retval, PAM_STRERROR(pamh, pam_retval));
 		}
-
+	  }
 		pam_retval = pam_setcred(pamh, PAM_DELETE_CRED);
 		if (pam_retval != PAM_SUCCESS) {
 			debug("Cannot delete credentials[%d]: %.200s", 
@@ -246,6 +243,7 @@
 		fatal("PAM session setup failed[%d]: %.200s", 
 			pam_retval, PAM_STRERROR(pamh, pam_retval));
 	}
+	session_opened = 1;
 }
 
 /* Set PAM credentials */ 
 


More information about the openssh-unix-dev mailing list