PAM function ordering

Damien Miller djm at
Sun Jan 20 13:02:09 EST 2013

On Sat, 19 Jan 2013, Nicholas Wilson wrote:

> Dear all,
> I've been looking into hacking with some PAM modules, and thought I could
> learn from the OpenSSH source (it's probably the closest thing to a
> canonical cross-platform consumer of the API).

Hmmm. We are probably not the best learning example for PAM, we're
probably more of a cautionary example of how PAM's API doesn't fit with
modern, privilege- minimising and separated applications.

> One thing I've noticed I don't understand though is how OpenSSH's
> invocation of do_pam_session/setcred can work (in main of the process
> forked in sshd.c). Ignoring privsep for the moment, if we're doing
> challenge-response then pam_authenticate is happening in the PAM "thread",
> so the pam_h we call pam_setcred with isn't the one that we called
> pam_authenticate with. The pam_h the main process is using at this stage
> seems to be the one created in sshpam_init_authctx (or mm_init_auth_ctx
> with privsep) and hasn't had pam_authenticate called on it, has it?
> I've checked FreeBSD's pam_krb5 source, for example, and I can see that it
> uses pam_set/get_data to stash the krb5ccache between calls to
> pam_authenticate and pam_setcred. I don't understand how OpenSSH carries
> that data over from the "thread" back to the main process; I can only see
> the environment list being copied across.

Right, anything that uses pam_get/set_data will break on OpenSSH. So
far we've accepted this as a price of keeping our PAM code sane and
easy to reason about. Various alternatives have been suggested, but all
have turned my sunglasses black.

> I can also see that OpenSSH swallows all errors from pam_setcred if
> pam_authenticate wasn't called, so clearly this isn't going to stop
> connections. I remain confused though how the krb5 module in BSD could ever
> have its setcred function called successfully by OpenSSH. Perhaps it's an
> eccentric Kerberos implementation?

I think most people use the GSSAPI support in OpenSSH directly instead
of pam_krb5.

> Similarly, I wonder if there are any known guidelines on how
> pam_setcred(DESTROY) and pam_close_session are meant to be called, and if
> there are any constraints in the order between to be portable?

No, there are no guidelines for most of PAM. That's part of the problem.

Darren has a list of problems with PAM at


More information about the openssh-unix-dev mailing list