Solaris PAM: Cannot delete credentials
Hans Werner Strube
strube at physik3.gwdg.de
Thu Nov 22 22:52:31 EST 2001
> As has been reported several times, openssh with PAM in Solaris gives
> a debug message on logout: Cannot delete credentials.
> Here is a patch for auth-pam.c (possibly Solaris-specific).
> The line numbers hold at least for 2.9.9p2 through 3.0.1p1.
> Note that seteuid() is not sufficient, one must use setuid().
> It would be more efficient to save the uid of the session and pass it,
> in order to avoid pam_get_item() and getpwnam(), but this would me a
> major change.
Here is the "major change", involving auth-pam.c, auth-pam.h, session.c.
The change of the first argument of do_pam_session() is possible, because
this argument has not been used in the original version.
Please treat with caution, since I have no actual overview over the
global interdependence and calling sequence of the functions in sshd.
But it worked for a login connection as well as a tty-less connection in
Solaris 7, without yielding the debug message "Cannot delete credentials."
*** auth-pam.c.ORI Fri Nov 9 21:22:17 2001
--- auth-pam.c Thu Nov 22 12:30:29 2001
***************
*** 62,67 ****
--- 62,68 ----
/* Remember what has been initialised */
static int session_opened = 0;
static int creds_set = 0;
+ static uid_t session_uid = 0;
/* accessor which allows us to switch conversation structs according to
* the authentication method being used */
***************
*** 184,190 ****
--- 185,196 ----
}
if (__pamh && creds_set) {
+ int flag=1;
+ if (session_uid != 0 && getuid() == 0)
+ flag = setuid(session_uid);
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
+ if (!flag)
+ setuid(0);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
***************
*** 267,273 ****
}
/* Do PAM-specific session initialisation */
! void do_pam_session(char *username, const char *ttyname)
{
int pam_retval;
--- 273,279 ----
}
/* Do PAM-specific session initialisation */
! void do_pam_session(uid_t uid, const char *ttyname)
{
int pam_retval;
***************
*** 287,292 ****
--- 293,299 ----
pam_retval, PAM_STRERROR(__pamh, pam_retval));
session_opened = 1;
+ session_uid = uid;
}
/* Set PAM credentials */
*** auth-pam.h.ORI Tue Mar 27 08:12:24 2001
--- auth-pam.h Thu Nov 22 12:28:39 2001
***************
*** 11,17 ****
char **fetch_pam_environment(void);
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
! void do_pam_session(char *username, const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
--- 11,17 ----
char **fetch_pam_environment(void);
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
! void do_pam_session(uid_t uid, const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
*** session.c.ORI Mon Nov 19 16:44:42 2001
--- session.c Thu Nov 22 12:24:39 2001
***************
*** 437,443 ****
session_proctitle(s);
#if defined(USE_PAM)
! do_pam_session(s->pw->pw_name, NULL);
do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
--- 437,443 ----
session_proctitle(s);
#if defined(USE_PAM)
! do_pam_session(s->pw->pw_uid, NULL);
do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
***************
*** 555,561 ****
ttyfd = s->ttyfd;
#if defined(USE_PAM)
! do_pam_session(s->pw->pw_name, s->tty);
do_pam_setcred(1);
#endif
--- 555,561 ----
ttyfd = s->ttyfd;
#if defined(USE_PAM)
! do_pam_session(s->pw->pw_uid, s->tty);
do_pam_setcred(1);
#endif
More information about the openssh-unix-dev
mailing list