Let's say that I have configured sshd(linked against libpam.so.0 shared library) to use PAM and I have following /etc/pam.d/sshd content:
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so try_first_pass
auth required pam_google_authenticator.so
account requisite pam_nologin.so
account required pam_unix.so try_first_pass
password requisite pam_cracklib.so
password required pam_unix.so use_authtok nullok shadow try_first_pass
session required pam_loginuid.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_env.so
session optional pam_lastlog.so silent noupdate showfailed
Am I correct that PAM informs sshd about success or failure at the end of each stack? So first auth facilities are processed and then the result is returned to sshd, then account facilities are processed and result of account stack is returned to sshd, etc? Is PAM informed by daemon when authenticated session ends?
Best Answer
In a sense that is what is happening, but I would not phrase it that way. Because PAM does not inform sshd actively, but rather sshd asks PAM via function calls (like
pam_authenticate,pam_acct_mgmt, etc.) and acts according to the results. PAM also does not automatically know, when a session is closed, but has to be informed viapam_close_session(since a session can be closed from another application).You can look up the source code of openssh in order to understand where and how sshd does utilize PAM. I would also recommend the Linux-PAM Application Developers' Guide if you are interested in the details.