New upstream release (7.6p1)

author: Colin Watson <cjwatson@debian.org> 2017-10-04 11:23:58 +0100
committer: Colin Watson <cjwatson@debian.org> 2017-10-05 23:58:12 +0100
commit: 0556ea972b15607b7e13ff31bc05840881c91dd3 (patch)
tree: d6b8d48062d0278b5ae0eeff42d0e9afa9f26860 /debian/patches/selinux-role.patch
parent: db2122d97eb1ecdd8d99b7bf79b0dd2b5addfd92 (diff)
parent: 801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 (diff)
1 files changed, 38 insertions, 38 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index ae83d23b0..1402b9025 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001
+From 4b276122c04aed0726803a92c8ca955e614a4d3a Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2015-08-19
+Last-Update: 2017-10-04
 Patch-Name: selinux-role.patch
 ---
@@ -31,31 +31,31 @@ Patch-Name: selinux-role.patch
 15 files changed, 97 insertions(+), 30 deletions(-)
 diff --git a/auth.h b/auth.h
-index 338a62da..8c658d16 100644
+index 29835ae9..27a1a88e 100644
 --- a/auth.h
 +++ b/auth.h
-@@ -62,6 +62,7 @@ struct Authctxt {
+@@ -63,6 +63,7 @@ struct Authctxt {
        char            *service;
        struct passwd   *pw;            /* set if 'valid' */
        char            *style;
 +       char            *role;
-        void            *kbdintctxt;
+ 
-        char            *info;          /* Extra info for next auth_log */
+        /* Method lists for multiple authentication */
- #ifdef BSD_AUTH
+        char            **auth_methods; /* modified from server config */
 diff --git a/auth2.c b/auth2.c
-index 946e9235..2f51be23 100644
+index 54070e3a..1f9ec632 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -221,7 +221,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
-        struct ssh *ssh = active_state; /* XXX */
+ {
-        Authctxt *authctxt = ctxt;
+        Authctxt *authctxt = ssh->authctxt;
        Authmethod *m = NULL;
 -       char *user, *service, *method, *style = NULL;
 +       char *user, *service, *method, *style = NULL, *role = NULL;
        int authenticated = 0;
 
        if (authctxt == NULL)
-@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -233,8 +233,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
        debug("userauth-request for user %s service %s method %s", user, service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
@@ -69,7 +69,7 @@ index 946e9235..2f51be23 100644
 
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
-@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -261,8 +266,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
                    use_privsep ? " [net]" : "");
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index 946e9235..2f51be23 100644
                if (auth2_setup_methods_lists(authctxt) != 0)
                        packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index 506645c7..7452e20e 100644
+index cabfeb8a..510e3496 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -100,7 +100,7 @@ index 506645c7..7452e20e 100644
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -799,6 +801,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
 
        /* Allow service/style information on the auth context */
        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index 506645c7..7452e20e 100644
        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 
 #ifdef USE_PAM
-@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -829,14 +832,37 @@ mm_answer_authserv(int sock, Buffer *m)
 
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index 506645c7..7452e20e 100644
        return (0);
 }
 
-@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1471,7 +1497,7 @@ mm_answer_pty(int sock, Buffer *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -171,10 +171,10 @@ index ec41404c..4c7955d7 100644
 
 struct monitor {
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index d5cb640a..2ff8064a 100644
+index 0e171a6a..d806bb2e 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
+@@ -336,10 +336,10 @@ mm_auth2_read_banner(void)
        return (banner);
 }
 
@@ -187,7 +187,7 @@ index d5cb640a..2ff8064a 100644
 {
        Buffer m;
 
-@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style)
+@@ -348,12 +348,30 @@ mm_inform_authserv(char *service, char *style)
        buffer_init(&m);
        buffer_put_cstring(&m, service);
        buffer_put_cstring(&m, style ? style : "");
@@ -219,13 +219,13 @@ index d5cb640a..2ff8064a 100644
 int
 mm_auth_password(Authctxt *authctxt, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 8f9dd896..3e75867c 100644
+index 7b2e8945..a9ccb243 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
+@@ -41,7 +41,8 @@ int mm_is_monitor(void);
- int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
- int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
+ int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
+     const char *);
 -void mm_inform_authserv(char *, char *);
 +void mm_inform_authserv(char *, char *, char *);
 +void mm_inform_authrole(char *);
@@ -329,7 +329,7 @@ index 3c22a854..c8812942 100644
 void ssh_selinux_setfscreatecon(const char *);
 #endif
 diff --git a/platform.c b/platform.c
-index 973a63e4..cd7bf566 100644
+index 18c7751d..380ee3a4 100644
 --- a/platform.c
 +++ b/platform.c
 @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
@@ -364,10 +364,10 @@ index ea4f9c58..60d72ffe 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index a08aa69d..ea3871eb 100644
+index 4bccb62d..d40afe4f 100644
 --- a/session.c
 +++ b/session.c
-@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1312,7 +1312,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -376,7 +376,7 @@ index a08aa69d..ea3871eb 100644
 {
        char *chroot_path, *tmp;
 
-@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1340,7 +1340,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
@@ -385,16 +385,16 @@ index a08aa69d..ea3871eb 100644
 
                if (!in_chroot && options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command)
+@@ -1477,7 +1477,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
 -               do_setusercontext(pw);
 +               do_setusercontext(pw, s->authctxt->role);
-                child_close_fds();
+                child_close_fds(ssh);
                do_pwchange(s);
                exit(1);
-@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command)
+@@ -1499,7 +1499,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
        /* When PAM is enabled we rely on it to do the nologin check */
        if (!options.use_pam)
                do_nologin(pw);
@@ -403,7 +403,7 @@ index a08aa69d..ea3871eb 100644
        /*
         * PAM session modules in do_setusercontext may have
         * generated messages, so if this in an interactive
-@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
+@@ -1891,7 +1891,7 @@ session_pty_req(struct ssh *ssh, Session *s)
        tty_parse_modes(s->ttyfd, &n_bytes);
 
        if (!use_privsep)
@@ -413,23 +413,23 @@ index a08aa69d..ea3871eb 100644
        /* Set window size from the packet. */
        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
 diff --git a/session.h b/session.h
-index 98e1dafe..0a31dce4 100644
+index 54dd1f0c..8535ebce 100644
 --- a/session.h
 +++ b/session.h
 @@ -76,7 +76,7 @@ void   session_pty_cleanup2(Session *);
 Session        *session_new(void);
 Session        *session_by_tty(char *);
- void    session_close(Session *);
+ void    session_close(struct ssh *, Session *);
 -void    do_setusercontext(struct passwd *);
 +void    do_setusercontext(struct passwd *, const char *);
- void    child_set_env(char ***envp, u_int *envsizep, const char *name,
+ 
-                       const char *value);
+ const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
 
 diff --git a/sshd.c b/sshd.c
-index 38cf9b49..9221632e 100644
+index a66e9ca6..af1ec337 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -677,7 +677,7 @@ privsep_postauth(Authctxt *authctxt)
        reseed_prngs();
 
        /* Drop privileges */
author	Colin Watson <cjwatson@debian.org>	2017-10-04 11:23:58 +0100
committer	Colin Watson <cjwatson@debian.org>	2017-10-05 23:58:12 +0100
commit	0556ea972b15607b7e13ff31bc05840881c91dd3 (patch)
tree	d6b8d48062d0278b5ae0eeff42d0e9afa9f26860 /debian/patches/selinux-role.patch
parent	db2122d97eb1ecdd8d99b7bf79b0dd2b5addfd92 (diff)
parent	801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 (diff)

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index ae83d23b0..1402b9025 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1	From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001	1	From 4b276122c04aed0726803a92c8ca955e614a4d3a Mon Sep 17 00:00:00 2001
2	From: Manoj Srivastava <srivasta@debian.org>	2	From: Manoj Srivastava <srivasta@debian.org>
3	Date: Sun, 9 Feb 2014 16:09:49 +0000	3	Date: Sun, 9 Feb 2014 16:09:49 +0000
4	Subject: Handle SELinux authorisation roles	4	Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
9		9
10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641	10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
11	Bug-Debian: http://bugs.debian.org/394795	11	Bug-Debian: http://bugs.debian.org/394795
12	Last-Update: 2015-08-19	12	Last-Update: 2017-10-04
13		13
14	Patch-Name: selinux-role.patch	14	Patch-Name: selinux-role.patch
15	---	15	---
@@ -31,31 +31,31 @@ Patch-Name: selinux-role.patch
31	15 files changed, 97 insertions(+), 30 deletions(-)	31	15 files changed, 97 insertions(+), 30 deletions(-)
32		32
33	diff --git a/auth.h b/auth.h	33	diff --git a/auth.h b/auth.h
34	index 338a62da..8c658d16 100644	34	index 29835ae9..27a1a88e 100644
35	--- a/auth.h	35	--- a/auth.h
36	+++ b/auth.h	36	+++ b/auth.h
37	@@ -62,6 +62,7 @@ struct Authctxt {	37	@@ -63,6 +63,7 @@ struct Authctxt {
38	char *service;	38	char *service;
39	struct passwd pw; / set if 'valid' */	39	struct passwd pw; / set if 'valid' */
40	char *style;	40	char *style;
41	+ char *role;	41	+ char *role;
42	void *kbdintctxt;	42
43	char info; / Extra info for next auth_log */	43	/* Method lists for multiple authentication */
44	#ifdef BSD_AUTH	44	char *auth_methods; / modified from server config */
45	diff --git a/auth2.c b/auth2.c	45	diff --git a/auth2.c b/auth2.c
46	index 946e9235..2f51be23 100644	46	index 54070e3a..1f9ec632 100644
47	--- a/auth2.c	47	--- a/auth2.c
48	+++ b/auth2.c	48	+++ b/auth2.c
49	@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)	49	@@ -221,7 +221,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
50	struct ssh ssh = active_state; / XXX */	50	{
51	Authctxt *authctxt = ctxt;	51	Authctxt *authctxt = ssh->authctxt;
52	Authmethod *m = NULL;	52	Authmethod *m = NULL;
53	- char user, service, method, style = NULL;	53	- char user, service, method, style = NULL;
54	+ char user, service, method, style = NULL, *role = NULL;	54	+ char user, service, method, style = NULL, *role = NULL;
55	int authenticated = 0;	55	int authenticated = 0;
56		56
57	if (authctxt == NULL)	57	if (authctxt == NULL)
58	@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)	58	@@ -233,8 +233,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
59	debug("userauth-request for user %s service %s method %s", user, service, method);	59	debug("userauth-request for user %s service %s method %s", user, service, method);
60	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);	60	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
61		61
@@ -69,7 +69,7 @@ index 946e9235..2f51be23 100644
69		69
70	if (authctxt->attempt++ == 0) {	70	if (authctxt->attempt++ == 0) {
71	/* setup auth context */	71	/* setup auth context */
72	@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)	72	@@ -261,8 +266,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
73	use_privsep ? " [net]" : "");	73	use_privsep ? " [net]" : "");
74	authctxt->service = xstrdup(service);	74	authctxt->service = xstrdup(service);
75	authctxt->style = style ? xstrdup(style) : NULL;	75	authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index 946e9235..2f51be23 100644
81	if (auth2_setup_methods_lists(authctxt) != 0)	81	if (auth2_setup_methods_lists(authctxt) != 0)
82	packet_disconnect("no authentication methods enabled");	82	packet_disconnect("no authentication methods enabled");
83	diff --git a/monitor.c b/monitor.c	83	diff --git a/monitor.c b/monitor.c
84	index 506645c7..7452e20e 100644	84	index cabfeb8a..510e3496 100644
85	--- a/monitor.c	85	--- a/monitor.c
86	+++ b/monitor.c	86	+++ b/monitor.c
87	@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);	87	@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -100,7 +100,7 @@ index 506645c7..7452e20e 100644
100	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	100	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	101	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102	#ifdef USE_PAM	102	#ifdef USE_PAM
103	@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)	103	@@ -799,6 +801,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
104		104
105	/* Allow service/style information on the auth context */	105	/* Allow service/style information on the auth context */
106	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	106	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index 506645c7..7452e20e 100644
108	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	108	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109		109
110	#ifdef USE_PAM	110	#ifdef USE_PAM
111	@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m)	111	@@ -829,14 +832,37 @@ mm_answer_authserv(int sock, Buffer *m)
112		112
113	authctxt->service = buffer_get_string(m, NULL);	113	authctxt->service = buffer_get_string(m, NULL);
114	authctxt->style = buffer_get_string(m, NULL);	114	authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index 506645c7..7452e20e 100644
148	return (0);	148	return (0);
149	}	149	}
150		150
151	@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m)	151	@@ -1471,7 +1497,7 @@ mm_answer_pty(int sock, Buffer *m)
152	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));	152	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
153	if (res == 0)	153	if (res == 0)
154	goto error;	154	goto error;
@@ -171,10 +171,10 @@ index ec41404c..4c7955d7 100644
171		171
172	struct monitor {	172	struct monitor {
173	diff --git a/monitor_wrap.c b/monitor_wrap.c	173	diff --git a/monitor_wrap.c b/monitor_wrap.c
174	index d5cb640a..2ff8064a 100644	174	index 0e171a6a..d806bb2e 100644
175	--- a/monitor_wrap.c	175	--- a/monitor_wrap.c
176	+++ b/monitor_wrap.c	176	+++ b/monitor_wrap.c
177	@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)	177	@@ -336,10 +336,10 @@ mm_auth2_read_banner(void)
178	return (banner);	178	return (banner);
179	}	179	}
180		180
@@ -187,7 +187,7 @@ index d5cb640a..2ff8064a 100644
187	{	187	{
188	Buffer m;	188	Buffer m;
189		189
190	@@ -339,12 +339,30 @@ mm_inform_authserv(char service, char style)	190	@@ -348,12 +348,30 @@ mm_inform_authserv(char service, char style)
191	buffer_init(&m);	191	buffer_init(&m);
192	buffer_put_cstring(&m, service);	192	buffer_put_cstring(&m, service);
193	buffer_put_cstring(&m, style ? style : "");	193	buffer_put_cstring(&m, style ? style : "");
@@ -219,13 +219,13 @@ index d5cb640a..2ff8064a 100644
219	int	219	int
220	mm_auth_password(Authctxt authctxt, char password)	220	mm_auth_password(Authctxt authctxt, char password)
221	diff --git a/monitor_wrap.h b/monitor_wrap.h	221	diff --git a/monitor_wrap.h b/monitor_wrap.h
222	index 8f9dd896..3e75867c 100644	222	index 7b2e8945..a9ccb243 100644
223	--- a/monitor_wrap.h	223	--- a/monitor_wrap.h
224	+++ b/monitor_wrap.h	224	+++ b/monitor_wrap.h
225	@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char , void );	225	@@ -41,7 +41,8 @@ int mm_is_monitor(void);
226	int mm_is_monitor(void);
227	DH *mm_choose_dh(int, int, int);	226	DH *mm_choose_dh(int, int, int);
228	int mm_key_sign(Key , u_char , u_int , const u_char , u_int, const char );	227	int mm_key_sign(struct sshkey , u_char , u_int , const u_char *, u_int,
		228	const char *);
229	-void mm_inform_authserv(char , char );	229	-void mm_inform_authserv(char , char );
230	+void mm_inform_authserv(char , char , char *);	230	+void mm_inform_authserv(char , char , char *);
231	+void mm_inform_authrole(char *);	231	+void mm_inform_authrole(char *);
@@ -329,7 +329,7 @@ index 3c22a854..c8812942 100644
329	void ssh_selinux_setfscreatecon(const char *);	329	void ssh_selinux_setfscreatecon(const char *);
330	#endif	330	#endif
331	diff --git a/platform.c b/platform.c	331	diff --git a/platform.c b/platform.c
332	index 973a63e4..cd7bf566 100644	332	index 18c7751d..380ee3a4 100644
333	--- a/platform.c	333	--- a/platform.c
334	+++ b/platform.c	334	+++ b/platform.c
335	@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)	335	@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
@@ -364,10 +364,10 @@ index ea4f9c58..60d72ffe 100644
364	char platform_krb5_get_principal_name(const char );	364	char platform_krb5_get_principal_name(const char );
365	int platform_sys_dir_uid(uid_t);	365	int platform_sys_dir_uid(uid_t);
366	diff --git a/session.c b/session.c	366	diff --git a/session.c b/session.c
367	index a08aa69d..ea3871eb 100644	367	index 4bccb62d..d40afe4f 100644
368	--- a/session.c	368	--- a/session.c
369	+++ b/session.c	369	+++ b/session.c
370	@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)	370	@@ -1312,7 +1312,7 @@ safely_chroot(const char *path, uid_t uid)
371		371
372	/* Set login name, uid, gid, and groups. */	372	/* Set login name, uid, gid, and groups. */
373	void	373	void
@@ -376,7 +376,7 @@ index a08aa69d..ea3871eb 100644
376	{	376	{
377	char chroot_path, tmp;	377	char chroot_path, tmp;
378		378
379	@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)	379	@@ -1340,7 +1340,7 @@ do_setusercontext(struct passwd *pw)
380	endgrent();	380	endgrent();
381	#endif	381	#endif
382		382
@@ -385,16 +385,16 @@ index a08aa69d..ea3871eb 100644
385		385
386	if (!in_chroot && options.chroot_directory != NULL &&	386	if (!in_chroot && options.chroot_directory != NULL &&
387	strcasecmp(options.chroot_directory, "none") != 0) {	387	strcasecmp(options.chroot_directory, "none") != 0) {
388	@@ -1489,7 +1489,7 @@ do_child(Session s, const char command)	388	@@ -1477,7 +1477,7 @@ do_child(struct ssh ssh, Session s, const char *command)
389		389
390	/* Force a password change */	390	/* Force a password change */
391	if (s->authctxt->force_pwchange) {	391	if (s->authctxt->force_pwchange) {
392	- do_setusercontext(pw);	392	- do_setusercontext(pw);
393	+ do_setusercontext(pw, s->authctxt->role);	393	+ do_setusercontext(pw, s->authctxt->role);
394	child_close_fds();	394	child_close_fds(ssh);
395	do_pwchange(s);	395	do_pwchange(s);
396	exit(1);	396	exit(1);
397	@@ -1511,7 +1511,7 @@ do_child(Session s, const char command)	397	@@ -1499,7 +1499,7 @@ do_child(struct ssh ssh, Session s, const char *command)
398	/* When PAM is enabled we rely on it to do the nologin check */	398	/* When PAM is enabled we rely on it to do the nologin check */
399	if (!options.use_pam)	399	if (!options.use_pam)
400	do_nologin(pw);	400	do_nologin(pw);
@@ -403,7 +403,7 @@ index a08aa69d..ea3871eb 100644
403	/*	403	/*
404	* PAM session modules in do_setusercontext may have	404	* PAM session modules in do_setusercontext may have
405	* generated messages, so if this in an interactive	405	* generated messages, so if this in an interactive
406	@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)	406	@@ -1891,7 +1891,7 @@ session_pty_req(struct ssh ssh, Session s)
407	tty_parse_modes(s->ttyfd, &n_bytes);	407	tty_parse_modes(s->ttyfd, &n_bytes);
408		408
409	if (!use_privsep)	409	if (!use_privsep)
@@ -413,23 +413,23 @@ index a08aa69d..ea3871eb 100644
413	/* Set window size from the packet. */	413	/* Set window size from the packet. */
414	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);	414	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
415	diff --git a/session.h b/session.h	415	diff --git a/session.h b/session.h
416	index 98e1dafe..0a31dce4 100644	416	index 54dd1f0c..8535ebce 100644
417	--- a/session.h	417	--- a/session.h
418	+++ b/session.h	418	+++ b/session.h
419	@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);	419	@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
420	Session *session_new(void);	420	Session *session_new(void);
421	Session session_by_tty(char );	421	Session session_by_tty(char );
422	void session_close(Session *);	422	void session_close(struct ssh , Session );
423	-void do_setusercontext(struct passwd *);	423	-void do_setusercontext(struct passwd *);
424	+void do_setusercontext(struct passwd , const char );	424	+void do_setusercontext(struct passwd , const char );
425	void child_set_env(char **envp, u_int envsizep, const char *name,	425
426	const char *value);	426	const char session_get_remote_name_or_ip(struct ssh , u_int, int);
427		427
428	diff --git a/sshd.c b/sshd.c	428	diff --git a/sshd.c b/sshd.c
429	index 38cf9b49..9221632e 100644	429	index a66e9ca6..af1ec337 100644
430	--- a/sshd.c	430	--- a/sshd.c
431	+++ b/sshd.c	431	+++ b/sshd.c
432	@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)	432	@@ -677,7 +677,7 @@ privsep_postauth(Authctxt *authctxt)
433	reseed_prngs();	433	reseed_prngs();
434		434
435	/* Drop privileges */	435	/* Drop privileges */