I would like to determine if authentication on sshd is done with key or with password, and then run some other modules based on this.
This is not straightforward because sshd does not use PAM to do key authentication, but it can use PAM for password authentication (if appropriately configured).
So my idea was: I put a pam_env somewhere in the PAM file, if I then find the variable it means authentication was by password.
It turned out things are a little bit more complicated, because sshd always uses PAM, at least in part. From what I understand sshd works like this:
1. PAM account;
2a. key authentication without PAM;
2b. PAM auth (pam_authenticate) if authentication was not done with key;
3. PAM auth (pam_setcred) - in any case, also when authentication was by key;
4. PAM open session;
5. PAM auth (pam_setcred) - it is not clear to me why pam_setcred is called again.
The new idea is to put a pam_env in the auth section, and check the variable in a pam_exec module in the session section (because there I am sure that authentication was successful).
The last obstacle is that pam_env runs only on pam_setcred and not on pam_authenticate, so I'm thinking about patching pam_env to have it work on pam_authenticate instead, if a specific parameter is passed.
What do you think? Does it make any sense? Do you see a different/better/easier option?
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list