--- hpn-ssh-hpn-18.4.2/auth-pam.c.orig +++ hpn-ssh-hpn-18.4.2/auth-pam.c @@ -1215,6 +1215,20 @@ return (sshpam_account_status); } +#ifdef HAVE_PAM_AUSER +void +do_pam_set_auser(const char* auser) +{ + if (auser != NULL) { + debug("PAM: setting PAM_AUSER to \"%s\"", auser); + sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser); + if (sshpam_err != PAM_SUCCESS) + error("PAM: failed to set PAM_AUSER: %s", + pam_strerror(sshpam_handle, sshpam_err)); + } +} +#endif + void do_pam_setcred(int init) { --- hpn-ssh-hpn-18.4.2/auth-pam.h.orig +++ hpn-ssh-hpn-18.4.2/auth-pam.h @@ -44,4 +44,9 @@ void sshpam_set_maxtries_reached(int); int is_pam_session_open(void); +#ifdef HAVE_PAM_AUSER +void do_pam_set_auser(const char *); +#endif +void do_pam_set_tty(const char *); + #endif /* USE_PAM */ --- hpn-ssh-hpn-18.4.2/auth.h.orig +++ hpn-ssh-hpn-18.4.2/auth.h @@ -98,6 +98,9 @@ #ifdef PAM_ENHANCEMENT char *authmethod_name; #endif +#ifdef HAVE_PAM_AUSER + char *auser; +#endif }; /* --- hpn-ssh-hpn-18.4.2/auth2-hostbased.c.orig +++ hpn-ssh-hpn-18.4.2/auth2-hostbased.c @@ -80,6 +80,9 @@ debug("signature:"); sshbuf_dump_data(sig, slen, stderr); #endif +#ifdef HAVE_PAM_AUSER + authctxt->auser = NULL; +#endif pktype = sshkey_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ @@ -151,6 +154,13 @@ sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) authenticated = 1; +#ifdef HAVE_PAM_AUSER + if (authenticated) { + authctxt->auser = cuser; + cuser = NULL; + } +#endif + auth2_record_key(authctxt, authenticated, key); sshbuf_free(b); done: --- hpn-ssh-hpn-18.4.2/auth2.c.orig +++ hpn-ssh-hpn-18.4.2/auth2.c @@ -427,6 +427,14 @@ #endif } +#ifdef HAVE_PAM_AUSER + if (!use_privsep) { + do_pam_set_auser(authctxt->auser); + free(authctxt->auser); + authctxt->auser = NULL; + } +#endif + if (authenticated && options.num_auth_methods != 0) { #if defined(USE_PAM) && defined(PAM_ENHANCEMENT) --- hpn-ssh-hpn-18.4.2/monitor.c.orig +++ hpn-ssh-hpn-18.4.2/monitor.c @@ -391,6 +391,12 @@ } } +#if defined(HAVE_PAM_AUSER) && defined(USE_PAM) + if (hostbased_cuser != NULL) { + free(hostbased_cuser); + hostbased_cuser = NULL; + } +#endif if (!authctxt->valid) fatal_f("authenticated invalid user"); if (strcmp(auth_method, "unknown") == 0) @@ -594,14 +600,16 @@ { /* reset state */ free(key_blob); +#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM) free(hostbased_cuser); + hostbased_cuser = NULL; +#endif free(hostbased_chost); sshauthopt_free(key_opts); key_blob = NULL; key_bloblen = 0; key_blobtype = MM_NOKEY; key_opts = NULL; - hostbased_cuser = NULL; hostbased_chost = NULL; } @@ -1074,6 +1082,11 @@ if (!options.use_pam) fatal("%s: PAM not enabled", __func__); +#ifdef HAVE_PAM_AUSER + if (hostbased_cuser != NULL) + do_pam_set_auser(hostbased_cuser); +#endif + ret = do_pam_account(); if ((r = sshbuf_put_u32(m, ret)) != 0 ||