On Thu, 8 Aug 2019, JCA wrote: > When OpenSSH is built with PAM support, on getting an authentication > request the OpenSSH daemon will invoke PAM functions, as instructed in the > /etc/pam.d/sshd file. > > At what point(s) before the authentication stage is concluded does the > daemon invoke such functions? What are the criteria that have been adopted > to select when to start interacting with PAM? I am pretty sure that, for > example, the validity of the username is tested before PAM gets at all > involved, right? Yes, the username is tested before pam_start() is called. The PAM account stack is queried after each successful (SSH-wise) authentication and has a chance to cancel the authentication. Finally, the PAM session module is called in the privileged sshd process after authentication has completed. It's a bit of a mess, but it's the best we could do to shoehorn PAM in to OpenSSH's privilege separation without accepting large amounts of additional complexity (reentrance or threads). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
