On Thu, 8 Aug 2019, JCA wrote:
> When OpenSSH is built with PAM support, on getting an authentication
> request the OpenSSH daemon will invoke PAM functions, as instructed in the
> /etc/pam.d/sshd file.
>
> At what point(s) before the authentication stage is concluded does the
> daemon invoke such functions? What are the criteria that have been adopted
> to select when to start interacting with PAM? I am pretty sure that, for
> example, the validity of the username is tested before PAM gets at all
> involved, right?
Yes, the username is tested before pam_start() is called.
The PAM account stack is queried after each successful (SSH-wise)
authentication and has a chance to cancel the authentication.
Finally, the PAM session module is called in the privileged sshd
process after authentication has completed.
It's a bit of a mess, but it's the best we could do to shoehorn PAM
in to OpenSSH's privilege separation without accepting large amounts
of additional complexity (reentrance or threads).
-d