From c97b01af62fa73b31a5b0c86c21c3347cdd0874d Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Wed, 16 Feb 2005 16:47:37 +1100
Subject:  - (dtucker) [session.c] Bug #918: store credentials from
 gssapi-with-mic    authentication early enough to be available to PAM session
 modules when    privsep=yes.  Patch from deengert at anl.gov, ok'ed in
 principle by Sam    Hartman and similar to Debian's ssh-krb5 package.

---
 session.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

(limited to 'session.c')

diff --git a/session.c b/session.c
index 1896e141f..df7552334 100644
--- a/session.c
+++ b/session.c
@@ -677,14 +677,6 @@ do_exec(Session *s, const char *command)
 	}
 #endif
 
-#ifdef GSSAPI
-	if (options.gss_authentication) {
-		temporarily_use_uid(s->pw);
-		ssh_gssapi_storecreds();
-		restore_uid();
-	}
-#endif
-
 	if (s->ttyfd != -1)
 		do_exec_pty(s, command);
 	else
@@ -1279,6 +1271,13 @@ do_setusercontext(struct passwd *pw)
 # ifdef __bsdi__
 		setpgid(0, 0);
 # endif
+#ifdef GSSAPI
+		if (options.gss_authentication) {
+			temporarily_use_uid(pw);
+			ssh_gssapi_storecreds();
+			restore_uid();
+		}
+#endif
 # ifdef USE_PAM
 		if (options.use_pam) {
 			do_pam_session();
@@ -1309,6 +1308,13 @@ do_setusercontext(struct passwd *pw)
 			exit(1);
 		}
 		endgrent();
+#ifdef GSSAPI
+		if (options.gss_authentication) {
+			temporarily_use_uid(pw);
+			ssh_gssapi_storecreds();
+			restore_uid();
+		}
+#endif
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.
-- 
cgit v1.2.3