Hello, I have written a PAM (should I say "PAM" or "PAM module"?) that will send an alert when a given user logs into the system. However, I am a bit confused as to how to configure when the module should be used by PAM. I want the module to only run if the user has already been authenticated. At first I considered using the following as the configuration line: auth optional /lib/security/pam_login_alert.so But that will generate an alert even if the user is not authenticated via pam_unix.so or something similar. (My module returns PAM_IGNORE.) I then considered using the module only when a session is opened via: session optional /lib/security/pam_login_alert.so But I'm not sure if every application will actually open a session. This means that the module may not be invoked even if the user is actually authenticated for the service. What is the best way to do this? Suggestions are appreciated.
