- (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic

   authentication early enough to be available to PAM session modules when
   privsep=yes.  Patch from deengert at anl.gov, ok'ed in principle by Sam
   Hartman and similar to Debian's ssh-krb5 package.

1 files changed, 14 insertions, 8 deletions

diff --git a/session.c b/session.c
index 1896e141f..df7552334 100644
--- a/session.c
+++ b/session.c
@@ -677,14 +677,6 @@ do_exec(Session *s, const char *command)
         }
 #endif
 
-#ifdef GSSAPI
-        if (options.gss_authentication) {
-                temporarily_use_uid(s->pw);
-                ssh_gssapi_storecreds();
-                restore_uid();
-        }
-#endif
-
         if (s->ttyfd != -1)
                 do_exec_pty(s, command);
         else
@@ -1279,6 +1271,13 @@ do_setusercontext(struct passwd *pw)
 # ifdef __bsdi__
                 setpgid(0, 0);
 # endif
+#ifdef GSSAPI
+                if (options.gss_authentication) {
+                        temporarily_use_uid(pw);
+                        ssh_gssapi_storecreds();
+                        restore_uid();
+                }
+#endif
 # ifdef USE_PAM
                 if (options.use_pam) {
                         do_pam_session();
@@ -1309,6 +1308,13 @@ do_setusercontext(struct passwd *pw)
                         exit(1);
                 }
                 endgrent();
+#ifdef GSSAPI
+                if (options.gss_authentication) {
+                        temporarily_use_uid(pw);
+                        ssh_gssapi_storecreds();
+                        restore_uid();
+                }
+#endif
 # ifdef USE_PAM
                 /*
                  * PAM credentials may take the form of supplementary groups.