On Mon, 16 Dec 2024, Michal Sekletar wrote: > Hello everyone, > > I am trying to adjust the systemd-logind classification of the SSH > session opened by Ansible client. By default the SSH session created > by Ansible client is Class=user and Type=tty in systemd-logind. > pam_systemd.so allows users to change this default via the environment > variables XDG_SESSION_CLASS and XDG_SESSION_TYPE. When I set these > variables on the client and make sure they are accepted by the server > I observe in the log that variables are set but that happens *after* > PAM session is created in the child process. Hence I have two obvious > questions... > > Is my analysis correct and thus it is not possible to influence PAM > session set up via environment variables set by the client? If so, > would you be open to accepting the patch to change that, i.e. all > environment variables set by the client would be exposed in the child > process that opens the PAM session? User-specified environment variables are not propogated to the environment where sshd invokes PAM modules because the SSH protocol sends them at the time a session is opened, well after authentication has completed. At best, they could be made available to the PAM session modules but there's no way to make user-specified environment available to auth and account modules. Similarly, environment variables _set by_ PAM override anything the user set by SetEnv/SendEnv, on the basis that admin-specified environment shouldn't be manipuable by a (usually) unprivileged user. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev