On Thu, 1 Aug 2019, Carl Jenkins wrote: > Hi, > > I’m trying to develop a PAM module with OpenSSH, and I realized I need to > retrieve something in a later stage that was saved in another previous > stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes > through PAM auth, account, session, and the session stage is in a different > UNIX process from the process where auth and account take place. For the > key auth route, auth stage is bypassed in favor of the AuthorizedKeys or > AuthorizedKeysCommand (in its own process) mechanisms, while PAM account > and session stages are in the same process. Is this correct? > > I’m aware of https://bugzilla.mindrot.org/show_bug.cgi?id=2548, which > correspond to the password route. Key route doesn’t seem to agree with it. > Regardless, I haven’t seen fixes around it. > > And in either auth route, what do the two processes share uniquely for the > same login attempt, like a session ID that I can extract? I think the PAM environment might persist between stages, but get/put_item doesn't work because of OpenSSH's pre/postauth split. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
