-20010328
- - OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2001/03/26 08:07:09
- [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c
- sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
- simpler key load/save interface, see authfile.h
-
20010327
- Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID)
- Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz
[servconf.c servconf.h session.c sshd.8 sshd_config]
PrintLastLog option; from chip@valinux.com with some minor
changes by me. ok markus@
+ - markus@cvs.openbsd.org 2001/03/26 08:07:09
+ [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c
+ sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
+ simpler key load/save interface, see authfile.h
+ - (djm) Reestablish PAM credentials (which can be supplemental group
+ memberships) after initgroups() blows them away. Report and suggested
+ fix from Nalin Dahyabhai <nalin@redhat.com>
20010324
- Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>.
}
/* Set PAM credentials */
-void do_pam_setcred(void)
+void do_pam_setcred(int init)
{
int pam_retval;
do_pam_set_conv(&conv);
debug("PAM establishing creds");
- pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
+ pam_retval = pam_setcred(__pamh,
+ init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
if (pam_retval != PAM_SUCCESS) {
if (was_authenticated)
fatal("PAM setcred failed[%d]: %.200s",
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
-void do_pam_setcred(void);
+void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
session_proctitle(s);
#if defined(USE_PAM)
- do_pam_setcred();
+ do_pam_setcred(1);
#endif /* USE_PAM */
/* Fork the child. */
#if defined(USE_PAM)
do_pam_session(s->pw->pw_name, s->tty);
- do_pam_setcred();
+ do_pam_setcred(1);
#endif
/* Fork the child. */
exit(1);
}
endgrent();
+# ifdef USE_PAM
+ /*
+ * PAM credentials may take the form of
+ * supplementary groups. These will have been
+ * wiped by the above initgroups() call.
+ * Reestablish them here.
+ */
+ do_pam_setcred(0);
+# endif /* USE_PAM */
# ifdef WITH_IRIX_JOBS
jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
if (jid == -1) {