Let's say that I have configured sshd
(linked against libpam.so.0
shared library) to use PAM and I have following /etc/pam.d/sshd
content:
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so try_first_pass
auth required pam_google_authenticator.so
account requisite pam_nologin.so
account required pam_unix.so try_first_pass
password requisite pam_cracklib.so
password required pam_unix.so use_authtok nullok shadow try_first_pass
session required pam_loginuid.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_env.so
session optional pam_lastlog.so silent noupdate showfailed
Am I correct that PAM informs sshd
about success or failure at the end of each stack? So first auth
facilities are processed and then the result is returned to sshd
, then account
facilities are processed and result of account
stack is returned to sshd
, etc? Is PAM informed by daemon when authenticated session ends?
Best Answer
In a sense that is what is happening, but I would not phrase it that way. Because PAM does not inform sshd actively, but rather sshd asks PAM via function calls (like
pam_authenticate
,pam_acct_mgmt
, etc.) and acts according to the results. PAM also does not automatically know, when a session is closed, but has to be informed viapam_close_session
(since a session can be closed from another application).You can look up the source code of openssh in order to understand where and how sshd does utilize PAM. I would also recommend the Linux-PAM Application Developers' Guide if you are interested in the details.