forked from rpms/openssh
- improved pam_session patch so it doesn't regress, the patch is necessary
for the pam_session_close to be called correctly as uid 0
This commit is contained in:
parent
ad61b116d1
commit
d63dc67db7
129
openssh-4.3p2-pam-session.patch
Normal file
129
openssh-4.3p2-pam-session.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
--- openssh-4.3p2/auth-pam.c.pam-session 2006-11-27 17:39:08.000000000 +0100
|
||||||
|
+++ openssh-4.3p2/auth-pam.c 2006-11-27 19:31:41.000000000 +0100
|
||||||
|
@@ -563,15 +563,17 @@
|
||||||
|
void
|
||||||
|
sshpam_cleanup(void)
|
||||||
|
{
|
||||||
|
- debug("PAM: cleanup");
|
||||||
|
- if (sshpam_handle == NULL)
|
||||||
|
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
|
||||||
|
return;
|
||||||
|
+ debug("PAM: cleanup");
|
||||||
|
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
||||||
|
if (sshpam_cred_established) {
|
||||||
|
+ debug("PAM: deleting credentials");
|
||||||
|
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
||||||
|
sshpam_cred_established = 0;
|
||||||
|
}
|
||||||
|
if (sshpam_session_open) {
|
||||||
|
+ debug("PAM: closing session");
|
||||||
|
pam_close_session(sshpam_handle, PAM_SILENT);
|
||||||
|
sshpam_session_open = 0;
|
||||||
|
}
|
||||||
|
--- openssh-4.3p2/sshd.c.pam-session 2006-11-27 17:29:44.000000000 +0100
|
||||||
|
+++ openssh-4.3p2/sshd.c 2006-11-28 21:21:52.000000000 +0100
|
||||||
|
@@ -1745,7 +1745,21 @@
|
||||||
|
audit_event(SSH_AUTH_SUCCESS);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- /*
|
||||||
|
+#ifdef GSSAPI
|
||||||
|
+ if (options.gss_authentication) {
|
||||||
|
+ temporarily_use_uid(authctxt->pw);
|
||||||
|
+ ssh_gssapi_storecreds();
|
||||||
|
+ restore_uid();
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+#ifdef USE_PAM
|
||||||
|
+ if (options.use_pam) {
|
||||||
|
+ do_pam_setcred(1);
|
||||||
|
+ do_pam_session();
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
* In privilege separation, we fork another child and prepare
|
||||||
|
* file descriptor passing.
|
||||||
|
*/
|
||||||
|
--- openssh-4.3p2/monitor.c.pam-session 2006-11-27 17:29:44.000000000 +0100
|
||||||
|
+++ openssh-4.3p2/monitor.c 2006-11-28 14:01:23.000000000 +0100
|
||||||
|
@@ -1539,6 +1539,11 @@
|
||||||
|
/* The child is terminating */
|
||||||
|
session_destroy_all(&mm_session_close);
|
||||||
|
|
||||||
|
+#ifdef USE_PAM
|
||||||
|
+ if (options.use_pam)
|
||||||
|
+ sshpam_cleanup();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||||
|
if (errno != EINTR)
|
||||||
|
exit(1);
|
||||||
|
--- openssh-4.3p2/session.c.pam-session 2006-11-27 17:29:43.000000000 +0100
|
||||||
|
+++ openssh-4.3p2/session.c 2006-11-28 21:17:56.000000000 +0100
|
||||||
|
@@ -395,11 +395,6 @@
|
||||||
|
|
||||||
|
session_proctitle(s);
|
||||||
|
|
||||||
|
-#if defined(USE_PAM)
|
||||||
|
- if (options.use_pam && !use_privsep)
|
||||||
|
- do_pam_setcred(1);
|
||||||
|
-#endif /* USE_PAM */
|
||||||
|
-
|
||||||
|
/* Fork the child. */
|
||||||
|
if ((pid = fork()) == 0) {
|
||||||
|
is_child = 1;
|
||||||
|
@@ -530,14 +525,6 @@
|
||||||
|
ptyfd = s->ptyfd;
|
||||||
|
ttyfd = s->ttyfd;
|
||||||
|
|
||||||
|
-#if defined(USE_PAM)
|
||||||
|
- if (options.use_pam) {
|
||||||
|
- do_pam_set_tty(s->tty);
|
||||||
|
- if (!use_privsep)
|
||||||
|
- do_pam_setcred(1);
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
/* Fork the child. */
|
||||||
|
if ((pid = fork()) == 0) {
|
||||||
|
is_child = 1;
|
||||||
|
@@ -1266,16 +1253,8 @@
|
||||||
|
# ifdef __bsdi__
|
||||||
|
setpgid(0, 0);
|
||||||
|
# endif
|
||||||
|
-#ifdef GSSAPI
|
||||||
|
- if (options.gss_authentication) {
|
||||||
|
- temporarily_use_uid(pw);
|
||||||
|
- ssh_gssapi_storecreds();
|
||||||
|
- restore_uid();
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
# ifdef USE_PAM
|
||||||
|
if (options.use_pam) {
|
||||||
|
- do_pam_session();
|
||||||
|
do_pam_setcred(0);
|
||||||
|
}
|
||||||
|
# endif /* USE_PAM */
|
||||||
|
@@ -1303,13 +1282,6 @@
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
endgrent();
|
||||||
|
-#ifdef GSSAPI
|
||||||
|
- if (options.gss_authentication) {
|
||||||
|
- temporarily_use_uid(pw);
|
||||||
|
- ssh_gssapi_storecreds();
|
||||||
|
- restore_uid();
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
# ifdef USE_PAM
|
||||||
|
/*
|
||||||
|
* PAM credentials may take the form of supplementary groups.
|
||||||
|
@@ -1317,7 +1289,6 @@
|
||||||
|
* Reestablish them here.
|
||||||
|
*/
|
||||||
|
if (options.use_pam) {
|
||||||
|
- do_pam_session();
|
||||||
|
do_pam_setcred(0);
|
||||||
|
}
|
||||||
|
# endif /* USE_PAM */
|
@ -61,7 +61,7 @@
|
|||||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 4.3p2
|
Version: 4.3p2
|
||||||
Release: 12%{?dist}%{?rescue_rel}
|
Release: 13%{?dist}%{?rescue_rel}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
|
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
|
||||||
@ -97,6 +97,7 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
|
|||||||
Patch45: openssh-4.3p2-cve-2006-4924.patch
|
Patch45: openssh-4.3p2-cve-2006-4924.patch
|
||||||
Patch46: openssh-3.9p1-cve-2006-5051.patch
|
Patch46: openssh-3.9p1-cve-2006-5051.patch
|
||||||
Patch47: openssh-4.3p2-cve-2006-5794.patch
|
Patch47: openssh-4.3p2-cve-2006-5794.patch
|
||||||
|
Patch48: openssh-4.3p2-pam-session.patch
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
|
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
|
||||||
@ -231,6 +232,7 @@ an X11 passphrase dialog for OpenSSH.
|
|||||||
%patch45 -p1 -b .deattack-dos
|
%patch45 -p1 -b .deattack-dos
|
||||||
%patch46 -p1 -b .sig-no-cleanup
|
%patch46 -p1 -b .sig-no-cleanup
|
||||||
%patch47 -p1 -b .verify
|
%patch47 -p1 -b .verify
|
||||||
|
%patch48 -p1 -b .pam-sesssion
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
|
|
||||||
@ -475,6 +477,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13
|
||||||
|
- improved pam_session patch so it doesn't regress, the patch is necessary
|
||||||
|
for the pam_session_close to be called correctly as uid 0
|
||||||
|
|
||||||
* Fri Nov 10 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-12
|
* Fri Nov 10 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-12
|
||||||
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
|
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user