openssh/openssh-4.7p1-pam-session.patch

diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c
--- openssh-4.7p1/session.c.pam-session	2007-08-16 15:28:04.000000000 +0200
+++ openssh-4.7p1/session.c	2007-09-06 17:37:46.000000000 +0200
@@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c
 
 	session_proctitle(s);
 
-#if defined(USE_PAM)
-	if (options.use_pam && !use_privsep)
-		do_pam_setcred(1);
-#endif /* USE_PAM */
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		is_child = 1;
@@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm
 	ptyfd = s->ptyfd;
 	ttyfd = s->ttyfd;
 
-#if defined(USE_PAM)
-	if (options.use_pam) {
-		do_pam_set_tty(s->tty);
-		if (!use_privsep)
-			do_pam_setcred(1);
-	}
-#endif
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		is_child = 1;
@@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw)
 # ifdef __bsdi__
 		setpgid(0, 0);
 # endif
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
 # ifdef USE_PAM
 		if (options.use_pam) {
-			do_pam_session();
-			do_pam_setcred(use_privsep);
+			do_pam_setcred(0);
 		}
 # endif /* USE_PAM */
 		if (setusercontext(lc, pw, pw->pw_uid,
@@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw)
 			exit(1);
 		}
 		endgrent();
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.
@@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw)
 		 * Reestablish them here.
 		 */
 		if (options.use_pam) {
-			do_pam_session();
-			do_pam_setcred(use_privsep);
+			do_pam_setcred(0);
 		}
 # endif /* USE_PAM */
 # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.pam-session	2007-09-06 17:37:46.000000000 +0200
+++ openssh-4.7p1/sshd.c	2007-09-06 17:37:46.000000000 +0200
@@ -1831,7 +1831,21 @@ main(int ac, char **av)
 	audit_event(SSH_AUTH_SUCCESS);
 #endif
 
-	/*
+#ifdef GSSAPI
+	if (options.gss_authentication) {
+		temporarily_use_uid(authctxt->pw);
+		ssh_gssapi_storecreds();
+		restore_uid();
+	}
+#endif
+#ifdef USE_PAM
+	if (options.use_pam) {
+		do_pam_setcred(1);
+		do_pam_session();
+	}
+#endif
+
+ 	/*
 	 * In privilege separation, we fork another child and prepare
 	 * file descriptor passing.
 	 */
diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c
--- openssh-4.7p1/monitor.c.pam-session	2007-09-06 17:37:46.000000000 +0200
+++ openssh-4.7p1/monitor.c	2007-09-06 17:37:46.000000000 +0200
@@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req)
 	/* The child is terminating */
 	session_destroy_all(&mm_session_close);
 
+#ifdef USE_PAM
+	if (options.use_pam)
+		sshpam_cleanup();
+#endif
+
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c
--- openssh-4.7p1/auth-pam.c.pam-session	2007-08-10 06:32:34.000000000 +0200
+++ openssh-4.7p1/auth-pam.c	2007-09-06 17:37:46.000000000 +0200
@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss
 void
 sshpam_cleanup(void)
 {
-	debug("PAM: cleanup");
-	if (sshpam_handle == NULL)
+	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
 		return;
+	debug("PAM: cleanup");
 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
 	if (sshpam_cred_established) {
+		debug("PAM: deleting credentials");
 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
 		sshpam_cred_established = 0;
 	}
 	if (sshpam_session_open) {
+		debug("PAM: closing session");
 		pam_close_session(sshpam_handle, PAM_SILENT);
 		sshpam_session_open = 0;
 	}