Provide AcceptEnv variables to a Linux PAM module?

Damien Miller djm at
Tue Oct 15 10:04:27 EST 2013

On Mon, 14 Oct 2013, Ryan Cox wrote:

> I've been looking for a while and can't figure out for sure if variables
> allowed by AcceptEnv are readable by a PAM module.  I looked through the
> openssh source code and found a few calls to pam_putenv(), which looks like
> the relevant call, but I don't see anything that would copy over AcceptEnv
> variables.  Am I correct that the variables are not available to PAM?

No, they are only applied when the user's session is created, after

> I'm
> guessing there are security implications to passing arbitrary variables
> through to PAM but is there some other way I can do so?

No, because the accepted environment variables are sent as part of the
session establishment that occurs well after authentication completes.

Maybe it would be possible to run the PAM session modules for each
multiplexed session (right now we run them right after authentication but
before session), but I'm not sure it would be safe to allow the user
environment through to them if they continue to run as root.


More information about the openssh-unix-dev mailing list