- djm@cvs.openbsd.org 2010/01/30 02:54:53

[openssh.git] / auth-pam.c

diff --git a/auth-pam.c b/auth-pam.c
index 493993a10d1c6699dd3709c0b44f7386016640c4..675006e6fb25cbb7f48bb8115b8d32cb2897c2d8 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -161,9 +161,9 @@ sshpam_sigchld_handler(int sig)
            WTERMSIG(sshpam_thread_status) == SIGTERM)
                return; /* terminated by pthread_cancel */
        if (!WIFEXITED(sshpam_thread_status))
-               fatal("PAM: authentication thread exited unexpectedly");
+               sigdie("PAM: authentication thread exited unexpectedly");
        if (WEXITSTATUS(sshpam_thread_status) != 0)
-               fatal("PAM: authentication thread exited uncleanly");
+               sigdie("PAM: authentication thread exited uncleanly");
 }
 
 /* ARGSUSED */
@@ -437,10 +437,16 @@ sshpam_thread(void *ctxtp)
        u_int i;
        const char *pam_user;
        const char **ptr_pam_user = &pam_user;
+       char *tz = getenv("TZ");
 
        pam_get_item(sshpam_handle, PAM_USER,
            (sshpam_const void **)ptr_pam_user);
+
        environ[0] = NULL;
+       if (tz != NULL)
+               if (setenv("TZ", tz, 1) == -1)
+                       error("PAM: could not set TZ environment: %s",
+                           strerror(errno));
 
        if (sshpam_authctxt != NULL) {
                setproctitle("%s [pam]",
@@ -592,18 +598,20 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL };
 void
 sshpam_cleanup(void)
 {
-       debug("PAM: cleanup");
-       if (sshpam_handle == NULL)
+       if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
                return;
+       debug("PAM: cleanup");
        pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
-       if (sshpam_cred_established) {
-               pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-               sshpam_cred_established = 0;
-       }
        if (sshpam_session_open) {
+               debug("PAM: closing session");
                pam_close_session(sshpam_handle, PAM_SILENT);
                sshpam_session_open = 0;
        }
+       if (sshpam_cred_established) {
+               debug("PAM: deleting credentials");
+               pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+               sshpam_cred_established = 0;
+       }
        sshpam_authenticated = 0;
        pam_end(sshpam_handle, sshpam_err);
        sshpam_handle = NULL;
@@ -680,8 +688,7 @@ sshpam_init_ctx(Authctxt *authctxt)
                return (NULL);
        }
 
-       ctxt = xmalloc(sizeof *ctxt);
-       memset(ctxt, 0, sizeof(*ctxt));
+       ctxt = xcalloc(1, sizeof *ctxt);
 
        /* Start the authentication thread */
        if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
@@ -979,7 +986,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
                        break;
                case PAM_PROMPT_ECHO_ON:
                        fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
-                       fgets(input, sizeof input, stdin);
+                       if (fgets(input, sizeof input, stdin) == NULL)
+                               input[0] = '\0';
                        if ((reply[i].resp = strdup(input)) == NULL)
                                goto fail;
                        reply[i].resp_retcode = PAM_SUCCESS;
@@ -1124,9 +1132,8 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
        if (n <= 0 || n > PAM_MAX_NUM_MSG)
                return (PAM_CONV_ERR);
 
-       if ((reply = malloc(n * sizeof(*reply))) == NULL)
+       if ((reply = calloc(n, sizeof(*reply))) == NULL)
                return (PAM_CONV_ERR);
-       memset(reply, 0, n * sizeof(*reply));
 
        for (i = 0; i < n; ++i) {
                switch (PAM_MSG_MEMBER(msg, i, msg_style)) {