2 files changed, 19 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 9ce0adb09..bc6b40dae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,9 +12,9 @@
      add prototypes for -Wall; ok djm
    - djm@cvs.openbsd.org 2004/05/21 11:33:11
      [channels.c channels.h clientloop.c serverloop.c ssh.1]
-     bz #756: add support for the cancel-tcpip-forward request for the server and
-     the client (through the ~C commandline). reported by z3p AT twistedmatrix.com;
-     ok markus@
+     bz #756: add support for the cancel-tcpip-forward request for the server
+     and the client (through the ~C commandline). reported by z3p AT
+     twistedmatrix.com; ok markus@
    - djm@cvs.openbsd.org 2004/05/22 06:32:12
      [clientloop.c ssh.1]
      use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@
@@ -22,8 +22,12 @@
      [ssh.1]
      kill whitespace at eol;
    - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
-     [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
+     [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config
+     sshd_config.5]
      Add MaxAuthTries sshd config option; ok markus@
+ - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread"
+   is terminated if the privsep slave exits during keyboard-interactive
+   authentication.  ok djm@
 
 20040523
  - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in 
@@ -1153,4 +1157,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $
+$Id: ChangeLog,v 1.3366 2004/05/24 01:55:36 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index faa0b904f..833c850e7 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.101 2004/05/13 07:29:35 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.102 2004/05/24 01:55:36 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -93,10 +93,17 @@ static mysig_t sshpam_oldsig;
 static void 
 sshpam_sigchld_handler(int sig)
 {
+        signal(SIGCHLD, SIG_DFL);
         if (cleanup_ctxt == NULL)
                 return; /* handler called after PAM cleanup, shouldn't happen */
-        if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) == -1)
-                return; /* couldn't wait for process */
+        if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
+             == -1) {
+                /* PAM thread has not exitted, privsep slave must have */
+                kill(cleanup_ctxt->pam_thread, SIGTERM);
+                if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
+                    == -1)
+                        return; /* could not wait */
+        }
         if (WIFSIGNALED(sshpam_thread_status) &&
             WTERMSIG(sshpam_thread_status) == SIGTERM)
                 return; /* terminated by pthread_cancel */