- dropped old ssh obsoletes

- call the pam_session_open/close from the monitor when privsep is enabled
    so it is always called as root (patch by Darren Tucker)
This commit is contained in:
Tomáš Mráz 2006-07-20 11:06:42 +00:00
parent ef32423955
commit 762e407bd5
2 changed files with 101 additions and 9 deletions

View File

@ -0,0 +1,91 @@
Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.134
diff -u -p -r1.134 auth-pam.c
--- auth-pam.c 15 May 2006 07:22:33 -0000 1.134
+++ auth-pam.c 22 May 2006 08:50:59 -0000
@@ -573,15 +573,17 @@ static struct pam_conv store_conv = { ss
void
sshpam_cleanup(void)
{
- debug("PAM: cleanup");
- if (sshpam_handle == NULL)
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
return;
+ debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
if (sshpam_cred_established) {
+ debug("PAM: deleting credentials");
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
sshpam_cred_established = 0;
}
if (sshpam_session_open) {
+ debug("PAM: closing session");
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
Index: monitor.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
retrieving revision 1.104
diff -u -p -r1.104 monitor.c
--- monitor.c 21 May 2006 08:26:40 -0000 1.104
+++ monitor.c 22 May 2006 08:37:58 -0000
@@ -354,6 +354,10 @@ monitor_child_preauth(Authctxt *_authctx
MONITOR_REQ_PAM_ACCOUNT, &m);
authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
buffer_free(&m);
+ if (authenticated) {
+ do_pam_session();
+ do_pam_setcred(0);
+ }
}
#endif
}
@@ -1531,6 +1535,11 @@ mm_answer_term(int sock, Buffer *req)
/* The child is terminating */
session_destroy_all(&mm_session_close);
+#ifdef USE_PAM
+ if (options.use_pam)
+ sshpam_cleanup();
+#endif
+
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
Index: session.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
retrieving revision 1.328
diff -u -p -r1.328 session.c
--- session.c 4 May 2006 06:24:34 -0000 1.328
+++ session.c 22 May 2006 08:14:24 -0000
@@ -541,7 +541,7 @@ do_exec_pty(Session *s, const char *comm
ttyfd = s->ttyfd;
#if defined(USE_PAM)
- if (options.use_pam) {
+ if (options.use_pam && !use_privsep) {
do_pam_set_tty(s->tty);
if (!use_privsep)
do_pam_setcred(1);
@@ -1284,7 +1284,7 @@ do_setusercontext(struct passwd *pw)
}
#endif
# ifdef USE_PAM
- if (options.use_pam) {
+ if (options.use_pam && !use_privsep) {
do_pam_session();
do_pam_setcred(0);
}
@@ -1326,7 +1326,7 @@ do_setusercontext(struct passwd *pw)
* These will have been wiped by the above initgroups() call.
* Reestablish them here.
*/
- if (options.use_pam) {
+ if (options.use_pam && !use_privsep) {
do_pam_session();
do_pam_setcred(0);
}

View File

@ -58,7 +58,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 4.3p2 Version: 4.3p2
%define rel 6 %define rel 7
%if %{rescue} %if %{rescue}
%define %{rel}rescue %define %{rel}rescue
%else %else
@ -92,11 +92,10 @@ Patch35: openssh-4.2p1-askpass-progress.patch
Patch36: openssh-4.3p2-buffer-len.patch Patch36: openssh-4.3p2-buffer-len.patch
Patch37: openssh-4.3p2-configure-typo.patch Patch37: openssh-4.3p2-configure-typo.patch
Patch38: openssh-4.3p2-askpass-grab-info.patch Patch38: openssh-4.3p2-askpass-grab-info.patch
Patch39: openssh-4.3p2-pam-session.patch
License: BSD License: BSD
Group: Applications/Internet Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
Provides: ssh
%if %{nologin} %if %{nologin}
Requires: /sbin/nologin Requires: /sbin/nologin
%endif %endif
@ -140,14 +139,10 @@ BuildRequires: xauth
Summary: The OpenSSH client applications Summary: The OpenSSH client applications
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Group: Applications/Internet Group: Applications/Internet
Obsoletes: ssh-clients
Provides: ssh-clients
%package server %package server
Summary: The OpenSSH server daemon Summary: The OpenSSH server daemon
Group: System Environment/Daemons Group: System Environment/Daemons
Obsoletes: ssh-server
Provides: ssh-server
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Requires(post): chkconfig >= 0.9, /sbin/service Requires(post): chkconfig >= 0.9, /sbin/service
Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/useradd
@ -157,8 +152,8 @@ Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so
Summary: A passphrase dialog for OpenSSH and X Summary: A passphrase dialog for OpenSSH and X
Group: Applications/Internet Group: Applications/Internet
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras, openssh-askpass-gnome Obsoletes: openssh-askpass-gnome
Provides: ssh-extras, openssh-askpass-gnome Provides: openssh-askpass-gnome
%description %description
SSH (Secure SHell) is a program for logging into and executing SSH (Secure SHell) is a program for logging into and executing
@ -225,6 +220,7 @@ an X11 passphrase dialog for OpenSSH.
%patch36 -p0 -b .buffer-len %patch36 -p0 -b .buffer-len
%patch37 -p1 -b .typo %patch37 -p1 -b .typo
%patch38 -p1 -b .grab-info %patch38 -p1 -b .grab-info
%patch39 -p0 -b .pam-session
autoreconf autoreconf
@ -466,6 +462,11 @@ fi
%endif %endif
%changelog %changelog
* Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-7
- dropped old ssh obsoletes
- call the pam_session_open/close from the monitor when privsep is
enabled so it is always called as root (patch by Darren Tucker)
* Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-6 * Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-6
- improve selinux patch (by Jan Kiszka) - improve selinux patch (by Jan Kiszka)
- upstream patch for buffer append space error (#191940) - upstream patch for buffer append space error (#191940)