Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/042-pam_setcred_converse.patch
author Rich Burridge <rich.burridge@oracle.com>
Tue, 02 May 2017 17:33:26 -0700
changeset 7964 d9801318ed3d
parent 5612 ece68a956e2f
permissions -rw-r--r--
25981468 Build ilmbase and openexr with the GNU compilers

#
# Allow PAM conversation for pam_setcred for keyboard-interactive auth
#
# Currently OpenSSH runs pam_setcred with 'fake' conversation function
# sshpam_store_conv. If some PAM module actually tries to converse for
# pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.
#
# This patch moves calling pam_setcred to the end of actual PAM
# authentication, where there still is a real conversation function
# available. If pam_setcred was already called, doesn't call it the
# second time in do_pam_setcred.
#
# Patch origin: in-house
#
# Reported upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2549
#

diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c
+++ new/auth-pam.c
@@ -399,6 +399,10 @@ sshpam_thread(struct pam_ctxt *ctxt)
 				goto auth_fail;
 			sshpam_password_change_required(0);
 		}
+		sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
+		if (sshpam_err != PAM_SUCCESS)
+			goto auth_fail;
+		
 	}
 
 	ctxt->pam_done = 1;
@@ -968,6 +972,8 @@ do_pam_set_tty(const char *tty)
 void
 do_pam_setcred(int init)
 {
+	if (compat20 && (sshpam_authenticated == 1))
+		return;	/* pam_setcred already done */
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
 	    (const void *)&store_conv);
 	if (sshpam_err != PAM_SUCCESS)
upstream/oracle/userland-gate