Again: Cannot delete credentials

Hans Werner Strube strube at physik3.gwdg.de
Wed Oct 9 20:10:31 EST 2002


As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message
on logout: Cannot delete credentials. This occurs when in auth-pam.c,
function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is
called under UID 0. I suggested a patch for this on Nov 22, 2001, based on
openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0
by "if (!flag) setuid(0);" does not actually work but seems not to be
required.]
Now in 3.4p1 with privilege separation, I found this patch was no more
necessary, whereas without privilege separation, behavior was as before.
For an ssh root login, the message always occurred, even with privilege
separation. Experimenting, I found that do_pam_cleanup_proc() runs as the
logged-in user with privilege separation but as root without privilege
separation. Also I found that pam_setcred(__pamh, PAM_DELETE_CRED) works
for any nonzero UID (strange!) Thus the whole patch can be simplified to
the following:

*** auth-pam.c.ORI	Wed May  8 04:27:56 2002
--- auth-pam.c	Wed Oct  2 18:11:39 2002
***************
*** 185,190 ****
--- 185,192 ----
  	}
  
  	if (__pamh && creds_set) {
+ 		if (getuid() == 0)
+ 			setuid(1);
  		pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
  		if (pam_retval != PAM_SUCCESS)
  			debug("Cannot delete credentials[%d]: %.200s", 




More information about the openssh-unix-dev mailing list