Hello Damien,
I guess my only concern is that this would cause pam_end() to potentially be called multiple times, once in the parent process (without PAM_DATA_SILENT) and zero to many times in child session processes. E.g. a forwarding-only session might have no child session process, whereas a multiplexed connection might have many child processes, all of which will share the same pam_handle. How will PAM cope with this?
should work as intended. pam_end() with PAM_DATA_SILENT is sort of a "light version" of cleanup. Calling this should only free resources that were duplicated on the previous fork(). Omitting pam_end() in the child code path usually does no harm as that code path does execve() anyway. But with the latest additions to pam_cap.so to support the ambient vector, some more important tasks were included on that code path. Linux PAM is aware that resources which are needed to maintain a session should be freed only on pam_end() called by the parent (without PAM_DATA_SILENT). And so should be the modules. E.g. have a look at the latest fix for this in the kerberos module: https://github.com/rra/pam-krb5/issues/21 As pam_end() with PAM_DATA_SILENT should be called once per fork() (or once per child) there should not be a problem with forwarding-only or multiplexed connections. At least as long as the PAM modules conform to the Linux PAM documentation. Cheers, Björn _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
