From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:57 +0000
Subject: Add support for registering ConsoleKit sessions on login

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
Last-Updated: 2014-10-07

Patch-Name: consolekit.patch
---
 Makefile.in    |   3 +-
 configure      | 132 +++++++++++++++++++++++++++++++
 configure.ac   |  25 ++++++
 consolekit.c   | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 consolekit.h   |  24 ++++++
 monitor.c      |  42 ++++++++++
 monitor.h      |   2 +
 monitor_wrap.c |  30 +++++++
 monitor_wrap.h |   4 +
 session.c      |  13 ++++
 session.h      |   6 ++
 11 files changed, 521 insertions(+), 1 deletion(-)
 create mode 100644 consolekit.c
 create mode 100644 consolekit.h

diff --git a/Makefile.in b/Makefile.in
index 086d8dd..c4cb8ea 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-	sandbox-seccomp-filter.o sandbox-capsicum.o
+	sandbox-seccomp-filter.o sandbox-capsicum.o \
+	consolekit.o
 
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
diff --git a/configure b/configure
index ea5f200..7be478a 100755
--- a/configure
+++ b/configure
@@ -739,6 +739,7 @@ with_privsep_user
 with_sandbox
 with_selinux
 with_kerberos5
+with_consolekit
 with_privsep_path
 with_xauth
 enable_strip
@@ -1430,6 +1431,7 @@ Optional Packages:
   --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
   --with-selinux          Enable SELinux support
   --with-kerberos5=PATH   Enable Kerberos 5 support
+  --with-consolekit       Enable ConsoleKit support
   --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
   --with-xauth=PATH       Specify path to xauth program
   --with-maildir=/path/to/mail    Specify your system mail directory
@@ -17211,6 +17213,135 @@ fi
 
 
 
+# Check whether user wants ConsoleKit support
+CONSOLEKIT_MSG="no"
+LIBCK_CONNECTOR=""
+
+# Check whether --with-consolekit was given.
+if test "${with_consolekit+set}" = set; then :
+  withval=$with_consolekit;  if test "x$withval" != "xno" ; then
+		if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PKGCONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKGCONFIG=$ac_cv_path_PKGCONFIG
+if test -n "$PKGCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5
+$as_echo "$PKGCONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKGCONFIG"; then
+  ac_pt_PKGCONFIG=$PKGCONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $ac_pt_PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
+if test -n "$ac_pt_PKGCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
+$as_echo "$ac_pt_PKGCONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_pt_PKGCONFIG" = x; then
+    PKGCONFIG="no"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKGCONFIG=$ac_pt_PKGCONFIG
+  fi
+else
+  PKGCONFIG="$ac_cv_path_PKGCONFIG"
+fi
+
+		if test "$PKGCONFIG" != "no"; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ck-connector" >&5
+$as_echo_n "checking for ck-connector... " >&6; }
+			if $PKGCONFIG --exists ck-connector; then
+				CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
+				CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
+				CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
+				SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define USE_CONSOLEKIT 1" >>confdefs.h
+
+				CONSOLEKIT_MSG="yes"
+			else
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+			fi
+		fi
+	fi
+
+fi
+
+
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
@@ -19739,6 +19870,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
+echo "                ConsoleKit support: $CONSOLEKIT_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/configure.ac b/configure.ac
index 7f160f1..f5c65c5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5],
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
 
+# Check whether user wants ConsoleKit support
+CONSOLEKIT_MSG="no"
+LIBCK_CONNECTOR=""
+AC_ARG_WITH(consolekit,
+	[  --with-consolekit       Enable ConsoleKit support],
+	[ if test "x$withval" != "xno" ; then
+		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+		if test "$PKGCONFIG" != "no"; then
+			AC_MSG_CHECKING([for ck-connector])
+			if $PKGCONFIG --exists ck-connector; then
+				CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
+				CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
+				CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
+				SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
+				AC_MSG_RESULT([yes])
+				AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
+				CONSOLEKIT_MSG="yes"
+			else
+				AC_MSG_RESULT([no])
+			fi
+		fi
+	fi ]
+)
+
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
@@ -4914,6 +4938,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
+echo "                ConsoleKit support: $CONSOLEKIT_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/consolekit.c b/consolekit.c
new file mode 100644
index 0000000..0266f06
--- /dev/null
+++ b/consolekit.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) 2008 Colin Watson.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * Loosely based on pam-ck-connector, which is:
+ *
+ * Copyright (c) 2007 David Zeuthen <davidz@redhat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following
+ * conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef USE_CONSOLEKIT
+
+#include <ck-connector.h>
+
+#include "openbsd-compat/sys-queue.h"
+#include "xmalloc.h"
+#include "channels.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include "canohost.h"
+#include "session.h"
+#include "consolekit.h"
+
+extern ServerOptions options;
+extern u_int utmp_len;
+
+void
+set_active(const char *cookie)
+{
+	DBusError err;
+	DBusConnection *connection;
+	DBusMessage *message = NULL, *reply = NULL;
+	char *sid;
+	DBusMessageIter iter, subiter;
+	const char *interface, *property;
+	dbus_bool_t active;
+
+	dbus_error_init(&err);
+	connection = dbus_bus_get_private(DBUS_BUS_SYSTEM, &err);
+	if (!connection) {
+		if (dbus_error_is_set(&err)) {
+			error("unable to open DBus connection: %s",
+			    err.message);
+			dbus_error_free(&err);
+		}
+		goto out;
+	}
+	dbus_connection_set_exit_on_disconnect(connection, FALSE);
+
+	message = dbus_message_new_method_call("org.freedesktop.ConsoleKit",
+	    "/org/freedesktop/ConsoleKit/Manager",
+	    "org.freedesktop.ConsoleKit.Manager",
+	    "GetSessionForCookie");
+	if (!message)
+		goto out;
+	if (!dbus_message_append_args(message, DBUS_TYPE_STRING, &cookie,
+	    DBUS_TYPE_INVALID)) {
+		if (dbus_error_is_set(&err)) {
+			error("unable to get current session: %s",
+			    err.message);
+			dbus_error_free(&err);
+		}
+		goto out;
+	}
+
+	dbus_error_init(&err);
+	reply = dbus_connection_send_with_reply_and_block(connection, message,
+	    -1, &err);
+	if (!reply) {
+		if (dbus_error_is_set(&err)) {
+			error("unable to get current session: %s",
+			    err.message);
+			dbus_error_free(&err);
+		}
+		goto out;
+	}
+
+	dbus_error_init(&err);
+	if (!dbus_message_get_args(reply, &err,
+	    DBUS_TYPE_OBJECT_PATH, &sid,
+	    DBUS_TYPE_INVALID)) {
+		if (dbus_error_is_set(&err)) {
+			error("unable to get current session: %s",
+			    err.message);
+			dbus_error_free(&err);
+		}
+		goto out;
+	}
+	dbus_message_unref(reply);
+	dbus_message_unref(message);
+	message = reply = NULL;
+
+	message = dbus_message_new_method_call("org.freedesktop.ConsoleKit",
+	    sid, "org.freedesktop.DBus.Properties", "Set");
+	if (!message)
+		goto out;
+	interface = "org.freedesktop.ConsoleKit.Session";
+	property = "active";
+	if (!dbus_message_append_args(message,
+	    DBUS_TYPE_STRING, &interface, DBUS_TYPE_STRING, &property,
+	    DBUS_TYPE_INVALID))
+		goto out;
+	dbus_message_iter_init_append(message, &iter);
+	if (!dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT,
+	    DBUS_TYPE_BOOLEAN_AS_STRING, &subiter))
+		goto out;
+	active = TRUE;
+	if (!dbus_message_iter_append_basic(&subiter, DBUS_TYPE_BOOLEAN,
+	    &active))
+		goto out;
+	if (!dbus_message_iter_close_container(&iter, &subiter))
+		goto out;
+
+	dbus_error_init(&err);
+	reply = dbus_connection_send_with_reply_and_block(connection, message,
+	    -1, &err);
+	if (!reply) {
+		if (dbus_error_is_set(&err)) {
+			error("unable to make current session active: %s",
+			    err.message);
+			dbus_error_free(&err);
+		}
+		goto out;
+	}
+
+out:
+	if (reply)
+		dbus_message_unref(reply);
+	if (message)
+		dbus_message_unref(message);
+}
+
+/*
+ * We pass display separately rather than using s->display because the
+ * latter is not available in the monitor when using privsep.
+ */
+
+char *
+consolekit_register(Session *s, const char *display)
+{
+	DBusError err;
+	const char *tty = s->tty;
+	const char *remote_host_name;
+	dbus_bool_t is_local = FALSE;
+	const char *cookie = NULL;
+
+	if (s->ckc) {
+		debug("already registered with ConsoleKit");
+		return xstrdup(ck_connector_get_cookie(s->ckc));
+	}
+
+	s->ckc = ck_connector_new();
+	if (!s->ckc) {
+		error("ck_connector_new failed");
+		return NULL;
+	}
+
+	if (!tty)
+		tty = "";
+	if (!display)
+		display = "";
+	remote_host_name = get_remote_name_or_ip(utmp_len, options.use_dns);
+	if (!remote_host_name)
+		remote_host_name = "";
+
+	dbus_error_init(&err);
+	if (!ck_connector_open_session_with_parameters(s->ckc, &err,
+	    "unix-user", &s->pw->pw_uid,
+	    "display-device", &tty,
+	    "x11-display", &display,
+	    "remote-host-name", &remote_host_name,
+	    "is-local", &is_local,
+	    NULL)) {
+		if (dbus_error_is_set(&err)) {
+			debug("%s", err.message);
+			dbus_error_free(&err);
+		} else {
+			debug("insufficient privileges or D-Bus / ConsoleKit "
+			    "not available");
+		}
+		return NULL;
+	}
+
+	debug("registered uid=%d on tty='%s' with ConsoleKit",
+	    s->pw->pw_uid, s->tty);
+
+	cookie = ck_connector_get_cookie(s->ckc);
+	set_active(cookie);
+	return xstrdup(cookie);
+}
+
+void
+consolekit_unregister(Session *s)
+{
+	if (s->ckc) {
+		debug("unregistering ConsoleKit session %s",
+		    ck_connector_get_cookie(s->ckc));
+		ck_connector_unref(s->ckc);
+		s->ckc = NULL;
+	}
+}
+
+#endif /* USE_CONSOLEKIT */
diff --git a/consolekit.h b/consolekit.h
new file mode 100644
index 0000000..8ce3716
--- /dev/null
+++ b/consolekit.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2008 Colin Watson.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef USE_CONSOLEKIT
+
+struct Session;
+
+char *	 consolekit_register(struct Session *, const char *);
+void	 consolekit_unregister(struct Session *);
+
+#endif /* USE_CONSOLEKIT */
diff --git a/monitor.c b/monitor.c
index 94b194d..cc15ce4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -100,6 +100,9 @@
 #include "ssh2.h"
 #include "roaming.h"
 #include "authfd.h"
+#ifdef USE_CONSOLEKIT
+#include "consolekit.h"
+#endif
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *);
 
 static int monitor_read_log(struct monitor *);
 
+#ifdef USE_CONSOLEKIT
+int mm_answer_consolekit_register(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 
 #ifdef WITH_SSH1
@@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = {
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
 #endif
+#ifdef USE_CONSOLEKIT
+    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
+#endif
     {0, 0, NULL}
 };
 
@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = {
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
 #endif
+#ifdef USE_CONSOLEKIT
+    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
+#endif
 #endif /* WITH_SSH1 */
     {0, 0, NULL}
 };
@@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor)
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
 	}
+#ifdef USE_CONSOLEKIT
+	monitor_permit(mon_dispatch, MONITOR_REQ_CONSOLEKIT_REGISTER, 1);
+#endif
 
 	for (;;)
 		monitor_read(pmonitor, mon_dispatch, NULL);
@@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
 
 #endif /* GSSAPI */
 
+#ifdef USE_CONSOLEKIT
+int
+mm_answer_consolekit_register(int sock, Buffer *m)
+{
+	Session *s;
+	char *tty, *display;
+	char *cookie = NULL;
+
+	debug3("%s entering", __func__);
+
+	tty = buffer_get_string(m, NULL);
+	display = buffer_get_string(m, NULL);
+	s = session_by_tty(tty);
+	if (s != NULL)
+		cookie = consolekit_register(s, display);
+	buffer_clear(m);
+	buffer_put_cstring(m, cookie != NULL ? cookie : "");
+	mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
+
+	free(cookie);
+	free(display);
+	free(tty);
+
+	return (0);
+}
+#endif /* USE_CONSOLEKIT */
diff --git a/monitor.h b/monitor.h
index 4d5e8fa..10ba59e 100644
--- a/monitor.h
+++ b/monitor.h
@@ -70,6 +70,8 @@ enum monitor_reqtype {
 
 	MONITOR_REQ_AUTHROLE = 154,
 
+	MONITOR_REQ_CONSOLEKIT_REGISTER = 156, MONITOR_ANS_CONSOLEKIT_REGISTER = 157,
+
 };
 
 struct mm_master;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 6dc890a..4c57d4d 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
 
 #endif /* GSSAPI */
 
+#ifdef USE_CONSOLEKIT
+char *
+mm_consolekit_register(Session *s, const char *display)
+{
+	Buffer m;
+	char *cookie;
+
+	debug3("%s entering", __func__);
+
+	if (s->ttyfd == -1)
+		return NULL;
+	buffer_init(&m);
+	buffer_put_cstring(&m, s->tty);
+	buffer_put_cstring(&m, display != NULL ? display : "");
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CONSOLEKIT_REGISTER, &m);
+	buffer_clear(&m);
+
+	mm_request_receive_expect(pmonitor->m_recvfd,
+	    MONITOR_ANS_CONSOLEKIT_REGISTER, &m);
+	cookie = buffer_get_string(&m, NULL);
+	buffer_free(&m);
+
+	/* treat empty cookie as missing cookie */
+	if (strlen(cookie) == 0) {
+		free(cookie);
+		cookie = NULL;
+	}
+	return (cookie);
+}
+#endif /* USE_CONSOLEKIT */
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 9c2ee49..00e93fe 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -111,4 +111,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
 void mm_zfree(struct mm_master *, void *);
 void mm_init_compression(struct mm_master *);
 
+#ifdef USE_CONSOLEKIT
+char *mm_consolekit_register(struct Session *, const char *);
+#endif /* USE_CONSOLEKIT */
+
 #endif /* _MM_WRAP_H_ */
diff --git a/session.c b/session.c
index 6f389ac..6250c20 100644
--- a/session.c
+++ b/session.c
@@ -93,6 +93,7 @@
 #include "kex.h"
 #include "monitor_wrap.h"
 #include "sftp.h"
+#include "consolekit.h"
 
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
@@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell)
 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
 	char *path = NULL;
 #endif
+#ifdef USE_CONSOLEKIT
+	const char *ckcookie = NULL;
+#endif /* USE_CONSOLEKIT */
 
 	/* Initialize the environment. */
 	envsize = 100;
@@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell)
 		child_set_env(&env, &envsize, "KRB5CCNAME",
 		    s->authctxt->krb5_ccname);
 #endif
+#ifdef USE_CONSOLEKIT
+	ckcookie = PRIVSEP(consolekit_register(s, s->display));
+	if (ckcookie)
+		child_set_env(&env, &envsize, "XDG_SESSION_COOKIE", ckcookie);
+#endif /* USE_CONSOLEKIT */
 #ifdef USE_PAM
 	/*
 	 * Pull in any environment variables that may have
@@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s)
 
 	debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
 
+#ifdef USE_CONSOLEKIT
+	consolekit_unregister(s);
+#endif /* USE_CONSOLEKIT */
+
 	/* Record that the user has logged out. */
 	if (s->pid != 0)
 		record_logout(s->pid, s->tty, s->pw->pw_name);
diff --git a/session.h b/session.h
index ef6593c..a6b6983 100644
--- a/session.h
+++ b/session.h
@@ -26,6 +26,8 @@
 #ifndef SESSION_H
 #define SESSION_H
 
+struct _CkConnector;
+
 #define TTYSZ 64
 typedef struct Session Session;
 struct Session {
@@ -61,6 +63,10 @@ struct Session {
 		char	*name;
 		char	*val;
 	} *env;
+
+#ifdef USE_CONSOLEKIT
+	struct _CkConnector *ckc;
+#endif /* USE_CONSOLEKIT */
 };
 
 void	 do_authenticated(Authctxt *);