As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message
on logout: Cannot delete credentials. This occurs when in auth-pam.c,
function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is
called under UID 0. I suggested a patch for this on Nov 22, 2001, based on
openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0
by "if (!flag) setuid(0);" does not actually work but seems not to be
required.]
Now in 3.4p1 with privilege separation, I found this patch was no more
necessary, whereas without privilege separation, behavior was as before.
For an ssh root login, the message always occurred, even with privilege
separation. Experimenting, I found that do_pam_cleanup_proc() runs as the
logged-in user with privilege separation but as root without privilege
separation. Also I found that pam_setcred(__pamh, PAM_DELETE_CRED) works
for any nonzero UID (strange!) Thus the whole patch can be simplified to
the following:
*** auth-pam.c.ORI Wed May 8 04:27:56 2002
--- auth-pam.c Wed Oct 2 18:11:39 2002
***************
*** 185,190 ****
--- 185,192 ----
}
if (__pamh && creds_set) {
+ if (getuid() == 0)
+ setuid(1);
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
