Mailing List Archive

Authentication with PAM
When OpenSSH is built with PAM support, on getting an authentication
request the OpenSSH daemon will invoke PAM functions, as instructed in the
/etc/pam.d/sshd file.

At what point(s) before the authentication stage is concluded does the
daemon invoke such functions? What are the criteria that have been adopted
to select when to start interacting with PAM? I am pretty sure that, for
example, the validity of the username is tested before PAM gets at all
involved, right?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Authentication with PAM [ In reply to ]
On Thu, 8 Aug 2019, JCA wrote:

> When OpenSSH is built with PAM support, on getting an authentication
> request the OpenSSH daemon will invoke PAM functions, as instructed in the
> /etc/pam.d/sshd file.
>
> At what point(s) before the authentication stage is concluded does the
> daemon invoke such functions? What are the criteria that have been adopted
> to select when to start interacting with PAM? I am pretty sure that, for
> example, the validity of the username is tested before PAM gets at all
> involved, right?

Yes, the username is tested before pam_start() is called.

The PAM account stack is queried after each successful (SSH-wise)
authentication and has a chance to cancel the authentication.

Finally, the PAM session module is called in the privileged sshd
process after authentication has completed.

It's a bit of a mess, but it's the best we could do to shoehorn PAM
in to OpenSSH's privilege separation without accepting large amounts
of additional complexity (reentrance or threads).

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev