- (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move

   pam_open_session and pam_close_session into the privsep monitor, which
   will ensure that pam_session_close is called as root.  Patch from Tomas
   Mraz.

1 files changed, 14 insertions, 0 deletions

diff --git a/sshd.c b/sshd.c
index 5ea87f0f9..5dfc2b185 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1847,6 +1847,20 @@ main(int ac, char **av)
         audit_event(SSH_AUTH_SUCCESS);
 #endif
 
+#ifdef GSSAPI
+        if (options.gss_authentication) {
+                temporarily_use_uid(authctxt->pw);
+                ssh_gssapi_storecreds();
+                restore_uid();
+        }
+#endif
+#ifdef USE_PAM
+        if (options.use_pam) {
+                do_pam_setcred(1);
+                do_pam_session();
+        }
+#endif
+
         /*
          * In privilege separation, we fork another child and prepare
          * file descriptor passing.