diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c --- openssh-4.7p1/session.c.pam-session 2007-08-16 15:28:04.000000000 +0200 +++ openssh-4.7p1/session.c 2007-09-06 17:37:46.000000000 +0200 @@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c session_proctitle(s); -#if defined(USE_PAM) - if (options.use_pam && !use_privsep) - do_pam_setcred(1); -#endif /* USE_PAM */ - /* Fork the child. */ if ((pid = fork()) == 0) { is_child = 1; @@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm ptyfd = s->ptyfd; ttyfd = s->ttyfd; -#if defined(USE_PAM) - if (options.use_pam) { - do_pam_set_tty(s->tty); - if (!use_privsep) - do_pam_setcred(1); - } -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { is_child = 1; @@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw) # ifdef __bsdi__ setpgid(0, 0); # endif -#ifdef GSSAPI - if (options.gss_authentication) { - temporarily_use_uid(pw); - ssh_gssapi_storecreds(); - restore_uid(); - } -#endif # ifdef USE_PAM if (options.use_pam) { - do_pam_session(); - do_pam_setcred(use_privsep); + do_pam_setcred(0); } # endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, @@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw) exit(1); } endgrent(); -#ifdef GSSAPI - if (options.gss_authentication) { - temporarily_use_uid(pw); - ssh_gssapi_storecreds(); - restore_uid(); - } -#endif # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. @@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw) * Reestablish them here. */ if (options.use_pam) { - do_pam_session(); - do_pam_setcred(use_privsep); + do_pam_setcred(0); } # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c --- openssh-4.7p1/sshd.c.pam-session 2007-09-06 17:37:46.000000000 +0200 +++ openssh-4.7p1/sshd.c 2007-09-06 17:37:46.000000000 +0200 @@ -1831,7 +1831,21 @@ main(int ac, char **av) audit_event(SSH_AUTH_SUCCESS); #endif - /* +#ifdef GSSAPI + if (options.gss_authentication) { + temporarily_use_uid(authctxt->pw); + ssh_gssapi_storecreds(); + restore_uid(); + } +#endif +#ifdef USE_PAM + if (options.use_pam) { + do_pam_setcred(1); + do_pam_session(); + } +#endif + + /* * In privilege separation, we fork another child and prepare * file descriptor passing. */ diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c --- openssh-4.7p1/monitor.c.pam-session 2007-09-06 17:37:46.000000000 +0200 +++ openssh-4.7p1/monitor.c 2007-09-06 17:37:46.000000000 +0200 @@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req) /* The child is terminating */ session_destroy_all(&mm_session_close); +#ifdef USE_PAM + if (options.use_pam) + sshpam_cleanup(); +#endif + while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c --- openssh-4.7p1/auth-pam.c.pam-session 2007-08-10 06:32:34.000000000 +0200 +++ openssh-4.7p1/auth-pam.c 2007-09-06 17:37:46.000000000 +0200 @@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss void sshpam_cleanup(void) { - debug("PAM: cleanup"); - if (sshpam_handle == NULL) + if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) return; + debug("PAM: cleanup"); pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); if (sshpam_cred_established) { + debug("PAM: deleting credentials"); pam_setcred(sshpam_handle, PAM_DELETE_CRED); sshpam_cred_established = 0; } if (sshpam_session_open) { + debug("PAM: closing session"); pam_close_session(sshpam_handle, PAM_SILENT); sshpam_session_open = 0; }