openssh bugs - Oct 2008 - [Bug 1534] New: openssh calls pam functions in the wrong order on logout

https://bugzilla.mindrot.org/show_bug.cgi?id=1534

           Summary: openssh calls pam functions in the wrong order on
                    logout
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: anicka at suse.cz


Created an attachment (id=1577)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1577)
openssh pam fix for calling functions in the right order on logout

Copied from original bugreport by Andreas Schwab in Novell bugzilla:

openssh calls the pam functions on logout in the wrong order.

pam_setcred with the DELETE_CRED flag is called before
pam_close_session is called.

This means that e.g. a kerberos aware module can't use the kerberos
credentials cache to close it's session, cause the tickets are already
gone.

pam_setcred with DELETE_CRED should be called after pam_close_session.

See attached patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1534


Andreas Schneider <mail at cynapses.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |major
                 CC|                            |mail at cynapses.org




--- Comment #1 from Andreas Schneider <mail at cynapses.org>  2009-06-15
20:43:14 ---
I've created the patch last year. This is really a annoying bug if
you're relying on kerberos and it doesn't work.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1534


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
                 CC|                            |dtucker at zip.com.au




--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  2009-07-12
22:12:00 ---
Patch applied, thanks.

I will point out that the order these functions are supposed to be
called is not specified in either the original PAM spec or XSSO, and
the man pages on different platforms give conflicting advice, so
there's a decent chance this will break something else.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1534

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> 2009-10-06 15:03:20
EST ---
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.