On Mon, 16 Dec 2024, Michal Sekletar wrote:
> Hello everyone,
>
> I am trying to adjust the systemd-logind classification of the SSH
> session opened by Ansible client. By default the SSH session created
> by Ansible client is Class=user and Type=tty in systemd-logind.
> pam_systemd.so allows users to change this default via the environment
> variables XDG_SESSION_CLASS and XDG_SESSION_TYPE. When I set these
> variables on the client and make sure they are accepted by the server
> I observe in the log that variables are set but that happens *after*
> PAM session is created in the child process. Hence I have two obvious
> questions...
>
> Is my analysis correct and thus it is not possible to influence PAM
> session set up via environment variables set by the client? If so,
> would you be open to accepting the patch to change that, i.e. all
> environment variables set by the client would be exposed in the child
> process that opens the PAM session?
User-specified environment variables are not propogated to the
environment where sshd invokes PAM modules because the SSH protocol
sends them at the time a session is opened, well after authentication
has completed. At best, they could be made available to the PAM
session modules but there's no way to make user-specified environment
available to auth and account modules.
Similarly, environment variables _set by_ PAM override anything the
user set by SetEnv/SendEnv, on the basis that admin-specified
environment shouldn't be manipuable by a (usually) unprivileged
user.
-d