[Pam-ssh-users] pam_ssh stays as user if no session tty

[Jim C. <ji...@ma...>]

If pam_ssh.so is called when the session has no TTY, in
pam_sm_open_session when it is about to link $HOME/.ssh/agent-$HOST-$TTY,
it instead returns without calling openpam_restore_cred.  There is a
similar escape route if it can read the agent file but can't stat it.  In
XDM serving a XDMCP query (which has no TTY), but not on the physical
display and not with other display managers such as LightDM, the non-root
user lacks permission to write on lastlog, to talk to the login manager to
manage the session, etc.  This prevents the user from getting an X-Windows
session.  The appended patch inserts the needed calls to
openpam_restore_cred, and the user is able to get a session.

This is with pam_ssh-1.97-23.1.1.i586 and x86_64, and
xdm-1.1.10-14.6.1.i586 and x86_64, on OpenSuSE 12.3.

Please see https://bugzilla.novell.com/show_bug.cgi?id=823484 for the
syslog messages, a "how to reproduce" scenario, and more discussion.


-- 
James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 520 Portola Plaza; Los Angeles, CA, USA  90095-1555
Email: ji...@ma...   http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Patch follows:
--- pam_ssh-1.97/pam_ssh.c      2013-06-04 16:15:04.142565929 -0700
+++ /tmp/root.jimc/pam_ssh-1.97/pam_ssh.c  2013-06-04 15:59:06.363422528
-0700
@@ -630,6 +630,7 @@
                 pam_ssh_log(LOG_ERR, "stat() failed on %s", per_agent);
                 pam_set_data(pamh, "ssh_agent_env_agent", NULL, NULL);
                 fclose(env_read);
+                openpam_restore_cred(pamh);
                 return retval;
             }
             file_ctime = stat_buf.st_mtime;
@@ -873,6 +874,7 @@
          * with the per-session file */
         if (!tty_raw) {
                 pam_ssh_log(LOG_DEBUG, "session has no tty");
+                openpam_restore_cred(pamh);
                 return PAM_SUCCESS;
         }