PAM function ordering

Nicholas Wilson nicholas at
Sun Jan 20 09:31:12 EST 2013

Dear all,

I've been looking into hacking with some PAM modules, and thought I could
learn from the OpenSSH source (it's probably the closest thing to a
canonical cross-platform consumer of the API).

One thing I've noticed I don't understand though is how OpenSSH's
invocation of do_pam_session/setcred can work (in main of the process
forked in sshd.c). Ignoring privsep for the moment, if we're doing
challenge-response then pam_authenticate is happening in the PAM "thread",
so the pam_h we call pam_setcred with isn't the one that we called
pam_authenticate with. The pam_h the main process is using at this stage
seems to be the one created in sshpam_init_authctx (or mm_init_auth_ctx
with privsep) and hasn't had pam_authenticate called on it, has it?

I've checked FreeBSD's pam_krb5 source, for example, and I can see that it
uses pam_set/get_data to stash the krb5ccache between calls to
pam_authenticate and pam_setcred. I don't understand how OpenSSH carries
that data over from the "thread" back to the main process; I can only see
the environment list being copied across.

I can also see that OpenSSH swallows all errors from pam_setcred if
pam_authenticate wasn't called, so clearly this isn't going to stop
connections. I remain confused though how the krb5 module in BSD could ever
have its setcred function called successfully by OpenSSH. Perhaps it's an
eccentric Kerberos implementation?

Similarly, I wonder if there are any known guidelines on how
pam_setcred(DESTROY) and pam_close_session are meant to be called, and if
there are any constraints in the order between to be portable?

Thanks ever so much for any clues you could give me. Hopefully I'm simply
missing something.


Nicholas Wilson: nicholas at

More information about the openssh-unix-dev mailing list