Working with PAM stages

Carl Jenkins cjenkins5614 at
Fri Aug 2 04:00:03 AEST 2019


I’m trying to develop a PAM module with OpenSSH, and I realized I need to
retrieve something in a later stage that was saved in another previous
stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes
through PAM auth, account, session, and the session stage is in a different
UNIX process from the process where auth and account take place. For the
key auth route, auth stage is bypassed in favor of the AuthorizedKeys or
AuthorizedKeysCommand (in its own process) mechanisms, while PAM account
and session stages are in the same process. Is this correct?

I’m aware of, which
correspond to the password route. Key route doesn’t seem to agree with it.
Regardless, I haven’t seen fixes around it.

And in either auth route, what do the two processes share uniquely for the
same login attempt, like a session ID that I can extract?


More information about the openssh-unix-dev mailing list