* Merge from Ubuntu:

  - Add support for registering ConsoleKit sessions on login.  (This is
    currently enabled only when building for Ubuntu.)

18 files changed, 1258 insertions, 4 deletions

diff --git a/Makefile.in b/Makefile.in
index 80155cc77..9a286a390 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -94,7 +94,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         sftp-server.o sftp-common.o \
         roaming_common.o roaming_serv.o \
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-        sandbox-seccomp-filter.o
+        sandbox-seccomp-filter.o \
+        consolekit.o
 
 MANPAGES        = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN     = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
diff --git a/configure b/configure
index 5e473371d..2f249c936 100755
--- a/configure
+++ b/configure
@@ -735,6 +735,7 @@ with_privsep_user
 with_sandbox
 with_selinux
 with_kerberos5
+with_consolekit
 with_privsep_path
 with_xauth
 enable_strip
@@ -1425,6 +1426,7 @@ Optional Packages:
   --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
   --with-selinux          Enable SELinux support
   --with-kerberos5=PATH   Enable Kerberos 5 support
+  --with-consolekit       Enable ConsoleKit support
   --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
   --with-xauth=PATH       Specify path to xauth program
   --with-maildir=/path/to/mail    Specify your system mail directory
@@ -15683,6 +15685,135 @@ fi
 fi
 
 
+# Check whether user wants ConsoleKit support
+CONSOLEKIT_MSG="no"
+LIBCK_CONNECTOR=""
+
+# Check whether --with-consolekit was given.
+if test "${with_consolekit+set}" = set; then :
+  withval=$with_consolekit;  if test "x$withval" != "xno" ; then
+                if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PKGCONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKGCONFIG=$ac_cv_path_PKGCONFIG
+if test -n "$PKGCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5
+$as_echo "$PKGCONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKGCONFIG"; then
+  ac_pt_PKGCONFIG=$PKGCONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $ac_pt_PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
+if test -n "$ac_pt_PKGCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
+$as_echo "$ac_pt_PKGCONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_pt_PKGCONFIG" = x; then
+    PKGCONFIG="no"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKGCONFIG=$ac_pt_PKGCONFIG
+  fi
+else
+  PKGCONFIG="$ac_cv_path_PKGCONFIG"
+fi
+
+                if test "$PKGCONFIG" != "no"; then
+                        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ck-connector" >&5
+$as_echo_n "checking for ck-connector... " >&6; }
+                        if $PKGCONFIG --exists ck-connector; then
+                                CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
+                                CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
+                                CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
+                                SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
+                                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define USE_CONSOLEKIT 1" >>confdefs.h
+
+                                CONSOLEKIT_MSG="yes"
+                        else
+                                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                        fi
+                fi
+        fi
+
+fi
+
+
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
@@ -18155,6 +18286,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
+echo "                ConsoleKit support: $CONSOLEKIT_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/configure.ac b/configure.ac
index f3718537f..fabd3e0f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3672,6 +3672,30 @@ AC_ARG_WITH([kerberos5],
         ]
 )
 
+# Check whether user wants ConsoleKit support
+CONSOLEKIT_MSG="no"
+LIBCK_CONNECTOR=""
+AC_ARG_WITH(consolekit,
+        [  --with-consolekit       Enable ConsoleKit support],
+        [ if test "x$withval" != "xno" ; then
+                AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+                if test "$PKGCONFIG" != "no"; then
+                        AC_MSG_CHECKING([for ck-connector])
+                        if $PKGCONFIG --exists ck-connector; then
+                                CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
+                                CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
+                                CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
+                                SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
+                                AC_MSG_RESULT([yes])
+                                AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
+                                CONSOLEKIT_MSG="yes"
+                        else
+                                AC_MSG_RESULT([no])
+                        fi
+                fi
+        fi ]
+)
+
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
@@ -4435,6 +4459,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
+echo "                ConsoleKit support: $CONSOLEKIT_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/consolekit.c b/consolekit.c
new file mode 100644
index 000000000..2da3b10f6
--- /dev/null
+++ b/consolekit.c
@@ -0,0 +1,239 @@
+/*
+ * Copyright (c) 2008 Colin Watson.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * Loosely based on pam-ck-connector, which is:
+ *
+ * Copyright (c) 2007 David Zeuthen <davidz@redhat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following
+ * conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef USE_CONSOLEKIT
+
+#include <ck-connector.h>
+
+#include "xmalloc.h"
+#include "channels.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "log.h"
+#include "servconf.h"
+#include "canohost.h"
+#include "session.h"
+#include "consolekit.h"
+
+extern ServerOptions options;
+extern u_int utmp_len;
+
+void
+set_active(const char *cookie)
+{
+        DBusError err;
+        DBusConnection *connection;
+        DBusMessage *message = NULL, *reply = NULL;
+        char *sid;
+        DBusMessageIter iter, subiter;
+        const char *interface, *property;
+        dbus_bool_t active;
+
+        dbus_error_init(&err);
+        connection = dbus_bus_get_private(DBUS_BUS_SYSTEM, &err);
+        if (!connection) {
+                if (dbus_error_is_set(&err)) {
+                        error("unable to open DBus connection: %s",
+                            err.message);
+                        dbus_error_free(&err);
+                }
+                goto out;
+        }
+        dbus_connection_set_exit_on_disconnect(connection, FALSE);
+
+        message = dbus_message_new_method_call("org.freedesktop.ConsoleKit",
+            "/org/freedesktop/ConsoleKit/Manager",
+            "org.freedesktop.ConsoleKit.Manager",
+            "GetSessionForCookie");
+        if (!message)
+                goto out;
+        if (!dbus_message_append_args(message, DBUS_TYPE_STRING, &cookie,
+            DBUS_TYPE_INVALID)) {
+                if (dbus_error_is_set(&err)) {
+                        error("unable to get current session: %s",
+                            err.message);
+                        dbus_error_free(&err);
+                }
+                goto out;
+        }
+
+        dbus_error_init(&err);
+        reply = dbus_connection_send_with_reply_and_block(connection, message,
+            -1, &err);
+        if (!reply) {
+                if (dbus_error_is_set(&err)) {
+                        error("unable to get current session: %s",
+                            err.message);
+                        dbus_error_free(&err);
+                }
+                goto out;
+        }
+
+        dbus_error_init(&err);
+        if (!dbus_message_get_args(reply, &err,
+            DBUS_TYPE_OBJECT_PATH, &sid,
+            DBUS_TYPE_INVALID)) {
+                if (dbus_error_is_set(&err)) {
+                        error("unable to get current session: %s",
+                            err.message);
+                        dbus_error_free(&err);
+                }
+                goto out;
+        }
+        dbus_message_unref(reply);
+        dbus_message_unref(message);
+        message = reply = NULL;
+
+        message = dbus_message_new_method_call("org.freedesktop.ConsoleKit",
+            sid, "org.freedesktop.DBus.Properties", "Set");
+        if (!message)
+                goto out;
+        interface = "org.freedesktop.ConsoleKit.Session";
+        property = "active";
+        if (!dbus_message_append_args(message,
+            DBUS_TYPE_STRING, &interface, DBUS_TYPE_STRING, &property,
+            DBUS_TYPE_INVALID))
+                goto out;
+        dbus_message_iter_init_append(message, &iter);
+        if (!dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT,
+            DBUS_TYPE_BOOLEAN_AS_STRING, &subiter))
+                goto out;
+        active = TRUE;
+        if (!dbus_message_iter_append_basic(&subiter, DBUS_TYPE_BOOLEAN,
+            &active))
+                goto out;
+        if (!dbus_message_iter_close_container(&iter, &subiter))
+                goto out;
+
+        dbus_error_init(&err);
+        reply = dbus_connection_send_with_reply_and_block(connection, message,
+            -1, &err);
+        if (!reply) {
+                if (dbus_error_is_set(&err)) {
+                        error("unable to make current session active: %s",
+                            err.message);
+                        dbus_error_free(&err);
+                }
+                goto out;
+        }
+
+out:
+        if (reply)
+                dbus_message_unref(reply);
+        if (message)
+                dbus_message_unref(message);
+}
+
+/*
+ * We pass display separately rather than using s->display because the
+ * latter is not available in the monitor when using privsep.
+ */
+
+char *
+consolekit_register(Session *s, const char *display)
+{
+        DBusError err;
+        const char *tty = s->tty;
+        const char *remote_host_name;
+        dbus_bool_t is_local = FALSE;
+        const char *cookie = NULL;
+
+        if (s->ckc) {
+                debug("already registered with ConsoleKit");
+                return xstrdup(ck_connector_get_cookie(s->ckc));
+        }
+
+        s->ckc = ck_connector_new();
+        if (!s->ckc) {
+                error("ck_connector_new failed");
+                return NULL;
+        }
+
+        if (!tty)
+                tty = "";
+        if (!display)
+                display = "";
+        remote_host_name = get_remote_name_or_ip(utmp_len, options.use_dns);
+        if (!remote_host_name)
+                remote_host_name = "";
+
+        dbus_error_init(&err);
+        if (!ck_connector_open_session_with_parameters(s->ckc, &err,
+            "unix-user", &s->pw->pw_uid,
+            "display-device", &tty,
+            "x11-display", &display,
+            "remote-host-name", &remote_host_name,
+            "is-local", &is_local,
+            NULL)) {
+                if (dbus_error_is_set(&err)) {
+                        debug("%s", err.message);
+                        dbus_error_free(&err);
+                } else {
+                        debug("insufficient privileges or D-Bus / ConsoleKit "
+                            "not available");
+                }
+                return NULL;
+        }
+
+        debug("registered uid=%d on tty='%s' with ConsoleKit",
+            s->pw->pw_uid, s->tty);
+
+        cookie = ck_connector_get_cookie(s->ckc);
+        set_active(cookie);
+        return xstrdup(cookie);
+}
+
+void
+consolekit_unregister(Session *s)
+{
+        if (s->ckc) {
+                debug("unregistering ConsoleKit session %s",
+                    ck_connector_get_cookie(s->ckc));
+                ck_connector_unref(s->ckc);
+                s->ckc = NULL;
+        }
+}
+
+#endif /* USE_CONSOLEKIT */
diff --git a/consolekit.h b/consolekit.h
new file mode 100644
index 000000000..8ce371690
--- /dev/null
+++ b/consolekit.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2008 Colin Watson.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef USE_CONSOLEKIT
+
+struct Session;
+
+char *   consolekit_register(struct Session *, const char *);
+void     consolekit_unregister(struct Session *);
+
+#endif /* USE_CONSOLEKIT */
diff --git a/debian/changelog b/debian/changelog
index eb94dd09f..2c137c99b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 openssh (1:6.1p1-2) UNRELEASED; urgency=low
 
   * Use xz compression for binary packages.
+  * Merge from Ubuntu:
+    - Add support for registering ConsoleKit sessions on login.  (This is
+      currently enabled only when building for Ubuntu.)
 
  -- Colin Watson <cjwatson@debian.org>  Fri, 28 Sep 2012 17:54:42 +0100
 
diff --git a/debian/control b/debian/control
index ff8f63c18..1105b0699 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: openssh
 Section: net
 Priority: standard
 Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.4.2~), libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg (>= 1.16.1~)
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.4.2~), libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg (>= 1.16.1~), libck-connector-dev
 Standards-Version: 3.8.4
 Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org>
 Homepage: http://www.openssh.org/
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 08ba01e37..6ffc716ee 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,7 +8,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -276,6 +276,7 @@
+@@ -277,6 +277,7 @@
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
new file mode 100644
index 000000000..a952e4405
--- /dev/null
+++ b/debian/patches/consolekit.patch
@@ -0,0 +1,725 @@
+Description: Add support for registering ConsoleKit sessions on login
+Author: Colin Watson <cjwatson@ubuntu.com>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
+Last-Updated: 2012-10-31
+
+Index: b/Makefile.in
+===================================================================
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -94,7 +94,8 @@
+        sftp-server.o sftp-common.o \
+        roaming_common.o roaming_serv.o \
+        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+-       sandbox-seccomp-filter.o
++       sandbox-seccomp-filter.o \
++       consolekit.o
+ 
+ MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
+ MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
+Index: b/configure.ac
+===================================================================
+--- a/configure.ac
++++ b/configure.ac
+@@ -3672,6 +3672,30 @@
+        ]
+ )
+ 
++# Check whether user wants ConsoleKit support
++CONSOLEKIT_MSG="no"
++LIBCK_CONNECTOR=""
++AC_ARG_WITH(consolekit,
++       [  --with-consolekit       Enable ConsoleKit support],
++       [ if test "x$withval" != "xno" ; then
++               AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++               if test "$PKGCONFIG" != "no"; then
++                       AC_MSG_CHECKING([for ck-connector])
++                       if $PKGCONFIG --exists ck-connector; then
++                               CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
++                               CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
++                               CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
++                               SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
++                               AC_MSG_RESULT([yes])
++                               AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
++                               CONSOLEKIT_MSG="yes"
++                       else
++                               AC_MSG_RESULT([no])
++                       fi
++               fi
++       fi ]
++)
++
+ # Looking for programs, paths and files
+ 
+ PRIVSEP_PATH=/var/empty
+@@ -4435,6 +4459,7 @@
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+ echo "           Solaris project support: $SP_MSG"
++echo "                ConsoleKit support: $CONSOLEKIT_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+Index: b/configure
+===================================================================
+--- a/configure
++++ b/configure
+@@ -735,6 +735,7 @@
+ with_sandbox
+ with_selinux
+ with_kerberos5
++with_consolekit
+ with_privsep_path
+ with_xauth
+ enable_strip
+@@ -1425,6 +1426,7 @@
+   --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
+   --with-selinux          Enable SELinux support
+   --with-kerberos5=PATH   Enable Kerberos 5 support
++  --with-consolekit       Enable ConsoleKit support
+   --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
+   --with-xauth=PATH       Specify path to xauth program
+   --with-maildir=/path/to/mail    Specify your system mail directory
+@@ -15683,6 +15685,135 @@
+ fi
+ 
+ 
++# Check whether user wants ConsoleKit support
++CONSOLEKIT_MSG="no"
++LIBCK_CONNECTOR=""
++
++# Check whether --with-consolekit was given.
++if test "${with_consolekit+set}" = set; then :
++  withval=$with_consolekit;  if test "x$withval" != "xno" ; then
++               if test -n "$ac_tool_prefix"; then
++  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
++set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if ${ac_cv_path_PKGCONFIG+:} false; then :
++  $as_echo_n "(cached) " >&6
++else
++  case $PKGCONFIG in
++  [\\/]* | ?:[\\/]*)
++  ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
++  ;;
++  *)
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_exec_ext in '' $ac_executable_extensions; do
++  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++    ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
++    break 2
++  fi
++done
++  done
++IFS=$as_save_IFS
++
++  ;;
++esac
++fi
++PKGCONFIG=$ac_cv_path_PKGCONFIG
++if test -n "$PKGCONFIG"; then
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5
++$as_echo "$PKGCONFIG" >&6; }
++else
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++fi
++
++
++fi
++if test -z "$ac_cv_path_PKGCONFIG"; then
++  ac_pt_PKGCONFIG=$PKGCONFIG
++  # Extract the first word of "pkg-config", so it can be a program name with args.
++set dummy pkg-config; ac_word=$2
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
++  $as_echo_n "(cached) " >&6
++else
++  case $ac_pt_PKGCONFIG in
++  [\\/]* | ?:[\\/]*)
++  ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
++  ;;
++  *)
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_exec_ext in '' $ac_executable_extensions; do
++  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++    ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
++    break 2
++  fi
++done
++  done
++IFS=$as_save_IFS
++
++  ;;
++esac
++fi
++ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
++if test -n "$ac_pt_PKGCONFIG"; then
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
++$as_echo "$ac_pt_PKGCONFIG" >&6; }
++else
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++fi
++
++  if test "x$ac_pt_PKGCONFIG" = x; then
++    PKGCONFIG="no"
++  else
++    case $cross_compiling:$ac_tool_warned in
++yes:)
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
++ac_tool_warned=yes ;;
++esac
++    PKGCONFIG=$ac_pt_PKGCONFIG
++  fi
++else
++  PKGCONFIG="$ac_cv_path_PKGCONFIG"
++fi
++
++               if test "$PKGCONFIG" != "no"; then
++                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ck-connector" >&5
++$as_echo_n "checking for ck-connector... " >&6; }
++                       if $PKGCONFIG --exists ck-connector; then
++                               CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
++                               CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
++                               CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
++                               SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
++                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++
++$as_echo "#define USE_CONSOLEKIT 1" >>confdefs.h
++
++                               CONSOLEKIT_MSG="yes"
++                       else
++                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++                       fi
++               fi
++       fi
++
++fi
++
++
+ # Looking for programs, paths and files
+ 
+ PRIVSEP_PATH=/var/empty
+@@ -18155,6 +18286,7 @@
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+ echo "           Solaris project support: $SP_MSG"
++echo "                ConsoleKit support: $CONSOLEKIT_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+Index: b/consolekit.c
+===================================================================
+--- /dev/null
++++ b/consolekit.c
+@@ -0,0 +1,239 @@
++/*
++ * Copyright (c) 2008 Colin Watson.  All rights reserved.
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++/*
++ * Loosely based on pam-ck-connector, which is:
++ *
++ * Copyright (c) 2007 David Zeuthen <davidz@redhat.com>
++ *
++ * Permission is hereby granted, free of charge, to any person
++ * obtaining a copy of this software and associated documentation
++ * files (the "Software"), to deal in the Software without
++ * restriction, including without limitation the rights to use,
++ * copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following
++ * conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
++ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
++ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
++ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
++ * OTHER DEALINGS IN THE SOFTWARE.
++ */
++
++#include "includes.h"
++
++#ifdef USE_CONSOLEKIT
++
++#include <ck-connector.h>
++
++#include "xmalloc.h"
++#include "channels.h"
++#include "key.h"
++#include "hostfile.h"
++#include "auth.h"
++#include "log.h"
++#include "servconf.h"
++#include "canohost.h"
++#include "session.h"
++#include "consolekit.h"
++
++extern ServerOptions options;
++extern u_int utmp_len;
++
++void
++set_active(const char *cookie)
++{
++       DBusError err;
++       DBusConnection *connection;
++       DBusMessage *message = NULL, *reply = NULL;
++       char *sid;
++       DBusMessageIter iter, subiter;
++       const char *interface, *property;
++       dbus_bool_t active;
++
++       dbus_error_init(&err);
++       connection = dbus_bus_get_private(DBUS_BUS_SYSTEM, &err);
++       if (!connection) {
++               if (dbus_error_is_set(&err)) {
++                       error("unable to open DBus connection: %s",
++                           err.message);
++                       dbus_error_free(&err);
++               }
++               goto out;
++       }
++       dbus_connection_set_exit_on_disconnect(connection, FALSE);
++
++       message = dbus_message_new_method_call("org.freedesktop.ConsoleKit",
++           "/org/freedesktop/ConsoleKit/Manager",
++           "org.freedesktop.ConsoleKit.Manager",
++           "GetSessionForCookie");
++       if (!message)
++               goto out;
++       if (!dbus_message_append_args(message, DBUS_TYPE_STRING, &cookie,
++           DBUS_TYPE_INVALID)) {
++               if (dbus_error_is_set(&err)) {
++                       error("unable to get current session: %s",
++                           err.message);
++                       dbus_error_free(&err);
++               }
++               goto out;
++       }
++
++       dbus_error_init(&err);
++       reply = dbus_connection_send_with_reply_and_block(connection, message,
++           -1, &err);
++       if (!reply) {
++               if (dbus_error_is_set(&err)) {
++                       error("unable to get current session: %s",
++                           err.message);
++                       dbus_error_free(&err);
++               }
++               goto out;
++       }
++
++       dbus_error_init(&err);
++       if (!dbus_message_get_args(reply, &err,
++           DBUS_TYPE_OBJECT_PATH, &sid,
++           DBUS_TYPE_INVALID)) {
++               if (dbus_error_is_set(&err)) {
++                       error("unable to get current session: %s",
++                           err.message);
++                       dbus_error_free(&err);
++               }
++               goto out;
++       }
++       dbus_message_unref(reply);
++       dbus_message_unref(message);
++       message = reply = NULL;
++
++       message = dbus_message_new_method_call("org.freedesktop.ConsoleKit",
++           sid, "org.freedesktop.DBus.Properties", "Set");
++       if (!message)
++               goto out;
++       interface = "org.freedesktop.ConsoleKit.Session";
++       property = "active";
++       if (!dbus_message_append_args(message,
++           DBUS_TYPE_STRING, &interface, DBUS_TYPE_STRING, &property,
++           DBUS_TYPE_INVALID))
++               goto out;
++       dbus_message_iter_init_append(message, &iter);
++       if (!dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT,
++           DBUS_TYPE_BOOLEAN_AS_STRING, &subiter))
++               goto out;
++       active = TRUE;
++       if (!dbus_message_iter_append_basic(&subiter, DBUS_TYPE_BOOLEAN,
++           &active))
++               goto out;
++       if (!dbus_message_iter_close_container(&iter, &subiter))
++               goto out;
++
++       dbus_error_init(&err);
++       reply = dbus_connection_send_with_reply_and_block(connection, message,
++           -1, &err);
++       if (!reply) {
++               if (dbus_error_is_set(&err)) {
++                       error("unable to make current session active: %s",
++                           err.message);
++                       dbus_error_free(&err);
++               }
++               goto out;
++       }
++
++out:
++       if (reply)
++               dbus_message_unref(reply);
++       if (message)
++               dbus_message_unref(message);
++}
++
++/*
++ * We pass display separately rather than using s->display because the
++ * latter is not available in the monitor when using privsep.
++ */
++
++char *
++consolekit_register(Session *s, const char *display)
++{
++       DBusError err;
++       const char *tty = s->tty;
++       const char *remote_host_name;
++       dbus_bool_t is_local = FALSE;
++       const char *cookie = NULL;
++
++       if (s->ckc) {
++               debug("already registered with ConsoleKit");
++               return xstrdup(ck_connector_get_cookie(s->ckc));
++       }
++
++       s->ckc = ck_connector_new();
++       if (!s->ckc) {
++               error("ck_connector_new failed");
++               return NULL;
++       }
++
++       if (!tty)
++               tty = "";
++       if (!display)
++               display = "";
++       remote_host_name = get_remote_name_or_ip(utmp_len, options.use_dns);
++       if (!remote_host_name)
++               remote_host_name = "";
++
++       dbus_error_init(&err);
++       if (!ck_connector_open_session_with_parameters(s->ckc, &err,
++           "unix-user", &s->pw->pw_uid,
++           "display-device", &tty,
++           "x11-display", &display,
++           "remote-host-name", &remote_host_name,
++           "is-local", &is_local,
++           NULL)) {
++               if (dbus_error_is_set(&err)) {
++                       debug("%s", err.message);
++                       dbus_error_free(&err);
++               } else {
++                       debug("insufficient privileges or D-Bus / ConsoleKit "
++                           "not available");
++               }
++               return NULL;
++       }
++
++       debug("registered uid=%d on tty='%s' with ConsoleKit",
++           s->pw->pw_uid, s->tty);
++
++       cookie = ck_connector_get_cookie(s->ckc);
++       set_active(cookie);
++       return xstrdup(cookie);
++}
++
++void
++consolekit_unregister(Session *s)
++{
++       if (s->ckc) {
++               debug("unregistering ConsoleKit session %s",
++                   ck_connector_get_cookie(s->ckc));
++               ck_connector_unref(s->ckc);
++               s->ckc = NULL;
++       }
++}
++
++#endif /* USE_CONSOLEKIT */
+Index: b/consolekit.h
+===================================================================
+--- /dev/null
++++ b/consolekit.h
+@@ -0,0 +1,24 @@
++/*
++ * Copyright (c) 2008 Colin Watson.  All rights reserved.
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#ifdef USE_CONSOLEKIT
++
++struct Session;
++
++char *  consolekit_register(struct Session *, const char *);
++void    consolekit_unregister(struct Session *);
++
++#endif /* USE_CONSOLEKIT */
+Index: b/monitor.c
+===================================================================
+--- a/monitor.c
++++ b/monitor.c
+@@ -97,6 +97,9 @@
+ #include "ssh2.h"
+ #include "jpake.h"
+ #include "roaming.h"
++#ifdef USE_CONSOLEKIT
++#include "consolekit.h"
++#endif
+ 
+ #ifdef GSSAPI
+ static Gssctxt *gsscontext = NULL;
+@@ -192,6 +195,10 @@
+ 
+ static int monitor_read_log(struct monitor *);
+ 
++#ifdef USE_CONSOLEKIT
++int mm_answer_consolekit_register(int, Buffer *);
++#endif
++
+ static Authctxt *authctxt;
+ static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
+ 
+@@ -283,6 +290,9 @@
+     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
+ #endif
++#ifdef USE_CONSOLEKIT
++    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
++#endif
+     {0, 0, NULL}
+ };
+ 
+@@ -325,6 +335,9 @@
+     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
+ #endif
++#ifdef USE_CONSOLEKIT
++    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
++#endif
+     {0, 0, NULL}
+ };
+ 
+@@ -495,6 +508,9 @@
+                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
+        }
++#ifdef USE_CONSOLEKIT
++       monitor_permit(mon_dispatch, MONITOR_REQ_CONSOLEKIT_REGISTER, 1);
++#endif
+ 
+        for (;;)
+                monitor_read(pmonitor, mon_dispatch, NULL);
+@@ -2196,6 +2212,34 @@
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+ 
++#ifdef USE_CONSOLEKIT
++int
++mm_answer_consolekit_register(int sock, Buffer *m)
++{
++       Session *s;
++       char *tty, *display;
++       char *cookie = NULL;
++
++       debug3("%s entering", __func__);
++
++       tty = buffer_get_string(m, NULL);
++       display = buffer_get_string(m, NULL);
++       s = session_by_tty(tty);
++       if (s != NULL)
++               cookie = consolekit_register(s, display);
++       buffer_clear(m);
++       buffer_put_cstring(m, cookie != NULL ? cookie : "");
++       mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
++
++       if (cookie != NULL)
++               xfree(cookie);
++       xfree(display);
++       xfree(tty);
++
++       return (0);
++}
++#endif /* USE_CONSOLEKIT */
++
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+ 
+        gss_release_buffer(&minor, &hash);
+Index: b/monitor.h
+===================================================================
+--- a/monitor.h
++++ b/monitor.h
+@@ -62,6 +62,7 @@
+        MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+        MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
+        MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
++       MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER,
+        MONITOR_REQ_TERM,
+        MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
+        MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
+Index: b/monitor_wrap.c
+===================================================================
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -1310,6 +1310,37 @@
+ mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+ {
+        Buffer m;
++
++#ifdef USE_CONSOLEKIT
++char *
++mm_consolekit_register(Session *s, const char *display)
++{
++       Buffer m;
++       char *cookie;
++
++       debug3("%s entering", __func__);
++
++       if (s->ttyfd == -1)
++               return NULL;
++       buffer_init(&m);
++       buffer_put_cstring(&m, s->tty);
++       buffer_put_cstring(&m, display != NULL ? display : "");
++       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CONSOLEKIT_REGISTER, &m);
++       buffer_clear(&m);
++
++       mm_request_receive_expect(pmonitor->m_recvfd,
++           MONITOR_ANS_CONSOLEKIT_REGISTER, &m);
++       cookie = buffer_get_string(&m, NULL);
++       buffer_free(&m);
++
++       /* treat empty cookie as missing cookie */
++       if (strlen(cookie) == 0) {
++               xfree(cookie);
++               cookie = NULL;
++       }
++       return (cookie);
++}
++#endif /* USE_CONSOLEKIT */
+        OM_uint32 major;
+        u_int len;
+ 
+Index: b/monitor_wrap.h
+===================================================================
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -131,4 +131,8 @@
+ void mm_zfree(struct mm_master *, void *);
+ void mm_init_compression(struct mm_master *);
+ 
++#ifdef USE_CONSOLEKIT
++char *mm_consolekit_register(struct Session *, const char *);
++#endif /* USE_CONSOLEKIT */
++
+ #endif /* _MM_WRAP_H_ */
+Index: b/session.c
+===================================================================
+--- a/session.c
++++ b/session.c
+@@ -91,6 +91,7 @@
+ #include "kex.h"
+ #include "monitor_wrap.h"
+ #include "sftp.h"
++#include "consolekit.h"
+ 
+ #if defined(KRB5) && defined(USE_AFS)
+ #include <kafs.h>
+@@ -1129,6 +1130,9 @@
+ #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
+        char *path = NULL;
+ #endif
++#ifdef USE_CONSOLEKIT
++       const char *ckcookie = NULL;
++#endif /* USE_CONSOLEKIT */
+ 
+        /* Initialize the environment. */
+        envsize = 100;
+@@ -1273,6 +1277,11 @@
+                child_set_env(&env, &envsize, "KRB5CCNAME",
+                    s->authctxt->krb5_ccname);
+ #endif
++#ifdef USE_CONSOLEKIT
++       ckcookie = PRIVSEP(consolekit_register(s, s->display));
++       if (ckcookie)
++               child_set_env(&env, &envsize, "XDG_SESSION_COOKIE", ckcookie);
++#endif /* USE_CONSOLEKIT */
+ #ifdef USE_PAM
+        /*
+         * Pull in any environment variables that may have
+@@ -2300,6 +2309,10 @@
+ 
+        debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
+ 
++#ifdef USE_CONSOLEKIT
++       consolekit_unregister(s);
++#endif /* USE_CONSOLEKIT */
++
+        /* Record that the user has logged out. */
+        if (s->pid != 0)
+                record_logout(s->pid, s->tty, s->pw->pw_name);
+Index: b/session.h
+===================================================================
+--- a/session.h
++++ b/session.h
+@@ -26,6 +26,8 @@
+ #ifndef SESSION_H
+ #define SESSION_H
+ 
++struct _CkConnector;
++
+ #define TTYSZ 64
+ typedef struct Session Session;
+ struct Session {
+@@ -60,6 +62,10 @@
+                char    *name;
+                char    *val;
+        } *env;
++
++#ifdef USE_CONSOLEKIT
++       struct _CkConnector *ckc;
++#endif /* USE_CONSOLEKIT */
+ };
+ 
+ void    do_authenticated(Authctxt *);
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 12877d32f..ae32969ea 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -9,7 +9,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -283,9 +283,9 @@
+@@ -284,9 +284,9 @@
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
         $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
         -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/series b/debian/patches/series
index dd34d62e0..c5cf8de4b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,6 +17,9 @@ syslog-level-silent.patch
 quieter-signals.patch
 helpful-wait-terminate.patch
 
+# ConsoleKit
+consolekit.patch
+
 # Miscellaneous bug fixes
 user-group-modes.patch
 scp-quoting.patch
diff --git a/debian/rules b/debian/rules
index af2172198..3dfbe6a66 100755
--- a/debian/rules
+++ b/debian/rules
@@ -77,6 +77,9 @@ confflags += --with-ssl-engine
 ifeq ($(DEB_HOST_ARCH_OS),linux)
 confflags += --with-selinux
 endif
+ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+confflags += --with-consolekit
+endif
 
 # The deb build wants xauth; the udeb build doesn't.
 confflags += --with-xauth=/usr/bin/xauth
diff --git a/monitor.c b/monitor.c
index 0f4055e54..a5d1c5ba1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -97,6 +97,9 @@
 #include "ssh2.h"
 #include "jpake.h"
 #include "roaming.h"
+#ifdef USE_CONSOLEKIT
+#include "consolekit.h"
+#endif
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -192,6 +195,10 @@ int mm_answer_audit_command(int, Buffer *);
 
 static int monitor_read_log(struct monitor *);
 
+#ifdef USE_CONSOLEKIT
+int mm_answer_consolekit_register(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
 
@@ -283,6 +290,9 @@ struct mon_table mon_dispatch_postauth20[] = {
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
 #endif
+#ifdef USE_CONSOLEKIT
+    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
+#endif
     {0, 0, NULL}
 };
 
@@ -325,6 +335,9 @@ struct mon_table mon_dispatch_postauth15[] = {
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
 #endif
+#ifdef USE_CONSOLEKIT
+    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
+#endif
     {0, 0, NULL}
 };
 
@@ -495,6 +508,9 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
         }
+#ifdef USE_CONSOLEKIT
+        monitor_permit(mon_dispatch, MONITOR_REQ_CONSOLEKIT_REGISTER, 1);
+#endif
 
         for (;;)
                 monitor_read(pmonitor, mon_dispatch, NULL);
@@ -2196,6 +2212,34 @@ mm_answer_gss_sign(int socket, Buffer *m)
         buffer_put_int(m, major);
         buffer_put_string(m, hash.value, hash.length);
 
+#ifdef USE_CONSOLEKIT
+int
+mm_answer_consolekit_register(int sock, Buffer *m)
+{
+        Session *s;
+        char *tty, *display;
+        char *cookie = NULL;
+
+        debug3("%s entering", __func__);
+
+        tty = buffer_get_string(m, NULL);
+        display = buffer_get_string(m, NULL);
+        s = session_by_tty(tty);
+        if (s != NULL)
+                cookie = consolekit_register(s, display);
+        buffer_clear(m);
+        buffer_put_cstring(m, cookie != NULL ? cookie : "");
+        mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
+
+        if (cookie != NULL)
+                xfree(cookie);
+        xfree(display);
+        xfree(tty);
+
+        return (0);
+}
+#endif /* USE_CONSOLEKIT */
+
         mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
 
         gss_release_buffer(&minor, &hash);
diff --git a/monitor.h b/monitor.h
index 42887ebd1..15a38c347 100644
--- a/monitor.h
+++ b/monitor.h
@@ -62,6 +62,7 @@ enum monitor_reqtype {
         MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
         MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
         MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
+        MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER,
         MONITOR_REQ_TERM,
         MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
         MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index f46be660d..b758c9f72 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1310,6 +1310,37 @@ OM_uint32
 mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
 {
         Buffer m;
+
+#ifdef USE_CONSOLEKIT
+char *
+mm_consolekit_register(Session *s, const char *display)
+{
+        Buffer m;
+        char *cookie;
+
+        debug3("%s entering", __func__);
+
+        if (s->ttyfd == -1)
+                return NULL;
+        buffer_init(&m);
+        buffer_put_cstring(&m, s->tty);
+        buffer_put_cstring(&m, display != NULL ? display : "");
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CONSOLEKIT_REGISTER, &m);
+        buffer_clear(&m);
+
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_CONSOLEKIT_REGISTER, &m);
+        cookie = buffer_get_string(&m, NULL);
+        buffer_free(&m);
+
+        /* treat empty cookie as missing cookie */
+        if (strlen(cookie) == 0) {
+                xfree(cookie);
+                cookie = NULL;
+        }
+        return (cookie);
+}
+#endif /* USE_CONSOLEKIT */
         OM_uint32 major;
         u_int len;
 
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 4d12e2956..360fb9f57 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -131,4 +131,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
 void mm_zfree(struct mm_master *, void *);
 void mm_init_compression(struct mm_master *);
 
+#ifdef USE_CONSOLEKIT
+char *mm_consolekit_register(struct Session *, const char *);
+#endif /* USE_CONSOLEKIT */
+
 #endif /* _MM_WRAP_H_ */
diff --git a/session.c b/session.c
index a053913e1..1bffa6b06 100644
--- a/session.c
+++ b/session.c
@@ -91,6 +91,7 @@
 #include "kex.h"
 #include "monitor_wrap.h"
 #include "sftp.h"
+#include "consolekit.h"
 
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
@@ -1129,6 +1130,9 @@ do_setup_env(Session *s, const char *shell)
 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
         char *path = NULL;
 #endif
+#ifdef USE_CONSOLEKIT
+        const char *ckcookie = NULL;
+#endif /* USE_CONSOLEKIT */
 
         /* Initialize the environment. */
         envsize = 100;
@@ -1273,6 +1277,11 @@ do_setup_env(Session *s, const char *shell)
                 child_set_env(&env, &envsize, "KRB5CCNAME",
                     s->authctxt->krb5_ccname);
 #endif
+#ifdef USE_CONSOLEKIT
+        ckcookie = PRIVSEP(consolekit_register(s, s->display));
+        if (ckcookie)
+                child_set_env(&env, &envsize, "XDG_SESSION_COOKIE", ckcookie);
+#endif /* USE_CONSOLEKIT */
 #ifdef USE_PAM
         /*
          * Pull in any environment variables that may have
@@ -2300,6 +2309,10 @@ session_pty_cleanup2(Session *s)
 
         debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
 
+#ifdef USE_CONSOLEKIT
+        consolekit_unregister(s);
+#endif /* USE_CONSOLEKIT */
+
         /* Record that the user has logged out. */
         if (s->pid != 0)
                 record_logout(s->pid, s->tty, s->pw->pw_name);
diff --git a/session.h b/session.h
index cb4f19600..7e51b6ae1 100644
--- a/session.h
+++ b/session.h
@@ -26,6 +26,8 @@
 #ifndef SESSION_H
 #define SESSION_H
 
+struct _CkConnector;
+
 #define TTYSZ 64
 typedef struct Session Session;
 struct Session {
@@ -60,6 +62,10 @@ struct Session {
                 char    *name;
                 char    *val;
         } *env;
+
+#ifdef USE_CONSOLEKIT
+        struct _CkConnector *ckc;
+#endif /* USE_CONSOLEKIT */
 };
 
 void     do_authenticated(Authctxt *);