diff --git a/openssh-4.3p2-pam-session.patch b/openssh-4.3p2-pam-session.patch new file mode 100644 index 0000000..2772c81 --- /dev/null +++ b/openssh-4.3p2-pam-session.patch @@ -0,0 +1,129 @@ +--- openssh-4.3p2/auth-pam.c.pam-session 2006-11-27 17:39:08.000000000 +0100 ++++ openssh-4.3p2/auth-pam.c 2006-11-27 19:31:41.000000000 +0100 +@@ -563,15 +563,17 @@ + void + sshpam_cleanup(void) + { +- debug("PAM: cleanup"); +- if (sshpam_handle == NULL) ++ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) + return; ++ debug("PAM: cleanup"); + pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { ++ debug("PAM: deleting credentials"); + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (sshpam_session_open) { ++ debug("PAM: closing session"); + pam_close_session(sshpam_handle, PAM_SILENT); + sshpam_session_open = 0; + } +--- openssh-4.3p2/sshd.c.pam-session 2006-11-27 17:29:44.000000000 +0100 ++++ openssh-4.3p2/sshd.c 2006-11-28 21:21:52.000000000 +0100 +@@ -1745,7 +1745,21 @@ + audit_event(SSH_AUTH_SUCCESS); + #endif + +- /* ++#ifdef GSSAPI ++ if (options.gss_authentication) { ++ temporarily_use_uid(authctxt->pw); ++ ssh_gssapi_storecreds(); ++ restore_uid(); ++ } ++#endif ++#ifdef USE_PAM ++ if (options.use_pam) { ++ do_pam_setcred(1); ++ do_pam_session(); ++ } ++#endif ++ ++ /* + * In privilege separation, we fork another child and prepare + * file descriptor passing. + */ +--- openssh-4.3p2/monitor.c.pam-session 2006-11-27 17:29:44.000000000 +0100 ++++ openssh-4.3p2/monitor.c 2006-11-28 14:01:23.000000000 +0100 +@@ -1539,6 +1539,11 @@ + /* The child is terminating */ + session_destroy_all(&mm_session_close); + ++#ifdef USE_PAM ++ if (options.use_pam) ++ sshpam_cleanup(); ++#endif ++ + while (waitpid(pmonitor->m_pid, &status, 0) == -1) + if (errno != EINTR) + exit(1); +--- openssh-4.3p2/session.c.pam-session 2006-11-27 17:29:43.000000000 +0100 ++++ openssh-4.3p2/session.c 2006-11-28 21:17:56.000000000 +0100 +@@ -395,11 +395,6 @@ + + session_proctitle(s); + +-#if defined(USE_PAM) +- if (options.use_pam && !use_privsep) +- do_pam_setcred(1); +-#endif /* USE_PAM */ +- + /* Fork the child. */ + if ((pid = fork()) == 0) { + is_child = 1; +@@ -530,14 +525,6 @@ + ptyfd = s->ptyfd; + ttyfd = s->ttyfd; + +-#if defined(USE_PAM) +- if (options.use_pam) { +- do_pam_set_tty(s->tty); +- if (!use_privsep) +- do_pam_setcred(1); +- } +-#endif +- + /* Fork the child. */ + if ((pid = fork()) == 0) { + is_child = 1; +@@ -1266,16 +1253,8 @@ + # ifdef __bsdi__ + setpgid(0, 0); + # endif +-#ifdef GSSAPI +- if (options.gss_authentication) { +- temporarily_use_uid(pw); +- ssh_gssapi_storecreds(); +- restore_uid(); +- } +-#endif + # ifdef USE_PAM + if (options.use_pam) { +- do_pam_session(); + do_pam_setcred(0); + } + # endif /* USE_PAM */ +@@ -1303,13 +1282,6 @@ + exit(1); + } + endgrent(); +-#ifdef GSSAPI +- if (options.gss_authentication) { +- temporarily_use_uid(pw); +- ssh_gssapi_storecreds(); +- restore_uid(); +- } +-#endif + # ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. +@@ -1317,7 +1289,6 @@ + * Reestablish them here. + */ + if (options.use_pam) { +- do_pam_session(); + do_pam_setcred(0); + } + # endif /* USE_PAM */ diff --git a/openssh.spec b/openssh.spec index 64f41d9..deae1a5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -61,7 +61,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 4.3p2 -Release: 12%{?dist}%{?rescue_rel} +Release: 13%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig @@ -97,6 +97,7 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch Patch45: openssh-4.3p2-cve-2006-4924.patch Patch46: openssh-3.9p1-cve-2006-5051.patch Patch47: openssh-4.3p2-cve-2006-5794.patch +Patch48: openssh-4.3p2-pam-session.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot @@ -231,6 +232,7 @@ an X11 passphrase dialog for OpenSSH. %patch45 -p1 -b .deattack-dos %patch46 -p1 -b .sig-no-cleanup %patch47 -p1 -b .verify +%patch48 -p1 -b .pam-sesssion autoreconf @@ -475,6 +477,10 @@ fi %endif %changelog +* Tue Nov 28 2006 Tomas Mraz - 4.3p2-13 +- improved pam_session patch so it doesn't regress, the patch is necessary + for the pam_session_close to be called correctly as uid 0 + * Fri Nov 10 2006 Tomas Mraz - 4.3p2-12 - CVE-2006-5794 - properly detect failed key verify in monitor (#214641)