Shut down forked PAM handle

Shutting down the forked PAM handle must be done as per the Linux-PAM
documentation, specifically after setuid.

This is not a new requirement, but until recently (~2021) there was no
consequence to not doing so.

`pam_cap` now requires the handle to be shut down correctly in order to
configure ambient capabilities for the session. Importantly, these must
be configured after setuid, as setuid clears the ambient capability
vector.

Signed-off-by: Tudor Brindus <me@tbrindus.ca>

Author: Xyene

auth-pam.c

@@ -661,6 +661,18 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
 
 static struct pam_conv store_conv = { sshpam_store_conv, NULL };
 
+void
+sshpam_cleanup_in_child(void)
+{
+	if (sshpam_handle == NULL)
+		return;
+
+#ifdef PAM_DATA_SILENT
+	/* macOS PAM doesn't support PAM_DATA_SILENT.  */
+	pam_end(sshpam_handle, PAM_SUCCESS | PAM_DATA_SILENT);
+#endif
+}
+
 void
 sshpam_cleanup(void)
 {

auth-pam.h

@@ -39,6 +39,7 @@ char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 void sshpam_thread_cleanup(void);
 void sshpam_cleanup(void);
+void sshpam_cleanup_in_child(void);
 int sshpam_auth_passwd(Authctxt *, const char *);
 int sshpam_get_maxtries_reached(void);
 void sshpam_set_maxtries_reached(int);

session.c

@@ -1564,6 +1564,21 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	 */
 	env = do_setup_env(ssh, s, shell);
 
+#ifdef USE_PAM
+	if (options.use_pam) {
+		/*
+		 * Shutting down the forked PAM handle must be done as per the
+		 * Linux-PAM documentation, specifically after setuid.
+		 *
+		 * Concretely, this ensures pam_cap can configure ambient
+		 * capabilities for the session by applying them during
+		 * cleanup. Without this, the ambient capability vector gets
+		 * cleared during setuid.
+		 */
+		sshpam_cleanup_in_child();
+	}
+#endif
+
 #ifdef HAVE_LOGIN_CAP
 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
 #endif