# This issue has been raised with the upstream OpenSSH community:
|
#
|
# 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux
|
# platforms
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2426
|
#
|
# The OpenSSH maintainers added a call to do_pam_setcred() in
|
# platform_setusercontext_post_groups() with no corresponding bugID along with
|
# a befuddling comment that initgroups(3C) wipes out supplementary groups:
|
#
|
#https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96
|
#
|
# This only applies in the Linux world if the LinuxPAM pam_group(8) module
|
# has been installed and configured which allows one to assign additional
|
# secondary groups to a user using /etc/security/group.conf in addition to
|
# /etc/group. To confuse things a bit more, there is an OpenPAM PAM module
|
# of the same name, pam_group(8), which has different functionality, it
|
# performs access control based on group membership.
|
#
|
# In short, this additional call to do_pam_setcred() is Linux-specific and
|
# shouldn't be called on Solaris.
|
#
|
--- hpn-ssh-hpn-18.3.1/platform.c.orig
|
+++ hpn-ssh-hpn-18.3.1/platform.c
|
@@ -146,7 +146,7 @@
|
void
|
platform_setusercontext_post_groups(struct passwd *pw)
|
{
|
-#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
|
+#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE)
|
/*
|
* PAM credentials may take the form of supplementary groups.
|
* These will have been wiped by the above initgroups() call.
|