Solaris PAM: Cannot delete credentials

Hans Werner Strube strube at physik3.gwdg.de
Thu Nov 22 04:23:19 EST 2001


As has been reported several times, openssh with PAM in Solaris gives
a debug message on logout: Cannot delete credentials.
Here is a patch for auth-pam.c (possibly Solaris-specific).
The line numbers hold at least for 2.9.9p2 through 3.0.1p1.
Note that seteuid() is not sufficient, one must use setuid().
It would be more efficient to save the uid of the session and pass it,
in order to avoid pam_get_item() and getpwnam(), but this would me a
major change.

*** auth-pam.c.ORI	Fri Nov  9 21:22:17 2001
--- auth-pam.c	Wed Nov 21 18:12:31 2001
***************
*** 184,190 ****
--- 184,199 ----
  	}
  
  	if (__pamh && creds_set) {
+ 		char *pamuser;
+ 		uid_t olduid=(uid_t)(-1);
+ 		if (pam_get_item(__pamh, PAM_USER, &pamuser) == PAM_SUCCESS) {
+ 			struct passwd *pw = getpwnam(pamuser);
+ 			if (pw && (olduid=getuid())==0)
+ 				setuid(pw->pw_uid);
+ 		}
  		pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
+ 		if (olduid==0)
+ 			setuid(0);
  		if (pam_retval != PAM_SUCCESS)
  			debug("Cannot delete credentials[%d]: %.200s", 
  			    pam_retval, PAM_STRERROR(__pamh, pam_retval));



More information about the openssh-unix-dev mailing list