- (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic

authentication early enough to be available to PAM session modules when
   privsep=yes.  Patch from deengert at anl.gov, ok'ed in principle by Sam
   Hartman and similar to Debian's ssh-krb5 package.

ChangeLog

@@ -8,6 +8,10 @@
  - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant
    Unix; prevents problems relating to the location of -lresolv in the
    link order.
+ - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
+   authentication early enough to be available to PAM session modules when
+   privsep=yes.  Patch from deengert at anl.gov, ok'ed in principle by Sam
+   Hartman and similar to Debian's ssh-krb5 package.
 
 20050215
  - (dtucker) [config.sh.in] Collect oslevel -r too.
@@ -2142,4 +2146,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3657 2005/02/16 05:19:17 dtucker Exp $
+$Id: ChangeLog,v 1.3658 2005/02/16 05:47:37 dtucker Exp $

session.c

@@ -677,14 +677,6 @@ do_exec(Session *s, const char *command)
 	}
 #endif
 
-#ifdef GSSAPI
-	if (options.gss_authentication) {
-		temporarily_use_uid(s->pw);
-		ssh_gssapi_storecreds();
-		restore_uid();
-	}
-#endif
-
 	if (s->ttyfd != -1)
 		do_exec_pty(s, command);
 	else
@@ -1279,6 +1271,13 @@ do_setusercontext(struct passwd *pw)
 # ifdef __bsdi__
 		setpgid(0, 0);
 # endif
+#ifdef GSSAPI
+		if (options.gss_authentication) {
+			temporarily_use_uid(pw);
+			ssh_gssapi_storecreds();
+			restore_uid();
+		}
+#endif
 # ifdef USE_PAM
 		if (options.use_pam) {
 			do_pam_session();
@@ -1309,6 +1308,13 @@ do_setusercontext(struct passwd *pw)
 			exit(1);
 		}
 		endgrent();
+#ifdef GSSAPI
+		if (options.gss_authentication) {
+			temporarily_use_uid(pw);
+			ssh_gssapi_storecreds();
+			restore_uid();
+		}
+#endif
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.