I am writing a PAM module for SSH to enforce one more layer of authentication. For that I need terminal ID in close_session() and pam_sm_setcred() function in PAM module while OpenSSH hardcoded it "ssh". I made few changes in OpenSSh code so it can set terminal ID properly. These changes were :
added do_pam_set_tty() in session_pty_req(Session *s) function in session.c and added do_pam_set_tty() in mm_pty_allocate() function in monitor_wrap.c
It works fine for root and I get appropriate tty in pam_sm_cred() and pam_sm_close_session() function.
But using same code, when I try to ssh through a non root account I am getting tty in pam_sm_close_session() but not in pam_sm_cred(). I am not sure why ssh is behaving differently for root and non-root accounts.
Is there anything which triggers SSH behavior for root and non-root accounts or can anyone suggest me what can be wrong here. I have no idea how can I proceed and it would be great if someone can give me some pointers.
I got the solution. It was due to privilege separation. Post-auth privilege separation is disabled for root users and and enabled for other users by default. To get the tty thing working I had disabled privilege separation in /etc/ssh/sshd_config file.
For more details : http://www.citi.umich.edu/u/provos/papers/privsep.pdf