openssh unix dev - Sep 2003 - openssh-3.7.1p2: no pam_close_session() invocation

Hello,

I would like to use PAM. All PAM interaction worked well with openssh-3.5

Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session()
function won't get invoked. Some debugging shows, that the call is 
protected by an if-statement (module auth-pam.c, function sshpam_cleanup):

	if (sshpam_session_open) {
		pam_close_session(sshpam_handle, PAM_SILENT);
		/* cb, 26.09.03 */
		debug2("\n\nin sshpam_cleanup: mypid = %d\n\n", getpid());		
		sshpam_session_open = 0;
	}

I guess that the forked child process that calls the sshpam_cleanup() 
function is forked before the parent calls do_pam_session() (which sets 
sshpam_session_open to true).

pam_close_session() will be invoked by removing surrounding if-statement.

Is this a bug?


My changes to the default sshd_conf are:

72c72
< UsePAM yes
---
 > #UsePAM yes
83c83
< UsePrivilegeSeparation no
---
 > #UsePrivilegeSeparation yes
96c96
< #Subsystem    sftp    /local/libexec/sftp-server
---
 > Subsystem     sftp    /local/libexec/sftp-server


By the way: This is a bug in the documentation: The default for UsePAM in 
3.7.1p2 is "no" while "#UsePAM yes" implies the opposite.

Regards,
   Carsten

-- 
Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg,
Schl?terstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097,
Fax: ++49 40 42838 3096, mailto: Carsten.Benecke at rrz.uni-hamburg.de

Somebody  posted  about this  on  September 26th  but  I  don't see  a
follow-up to the list:  pam_close_session() doesn't seem to get called
when PrivilegeSeparation  is turned off.  (Turning it on  breaks other
things, those details available on request). Can one of the developers
confirm that the original poster's  patch is correct, and this will be
fixed  next time  around? (Yes,  I could  try half-blindly  hacking my
source, but that seems pointless since a new version comes out every n
days..)

-chris