Working with PAM stages

Damien Miller djm at mindrot.org
Fri Aug 2 11:22:18 AEST 2019


On Thu, 1 Aug 2019, Carl Jenkins wrote:

> Hi,
> 
> I’m trying to develop a PAM module with OpenSSH, and I realized I need to
> retrieve something in a later stage that was saved in another previous
> stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes
> through PAM auth, account, session, and the session stage is in a different
> UNIX process from the process where auth and account take place. For the
> key auth route, auth stage is bypassed in favor of the AuthorizedKeys or
> AuthorizedKeysCommand (in its own process) mechanisms, while PAM account
> and session stages are in the same process. Is this correct?
> 
> I’m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which
> correspond to the password route. Key route doesn’t seem to agree with it.
> Regardless, I haven’t seen fixes around it.
> 
> And in either auth route, what do the two processes share uniquely for the
> same login attempt, like a session ID that I can extract?

I think the PAM environment might persist between stages, but
get/put_item doesn't work because of OpenSSH's pre/postauth split.

-d


More information about the openssh-unix-dev mailing list