Search code examples
clinuxubuntupamsshd

why pam_sm_authenticate is called twice when ssh login?

i am tring to make PAM module that authenticate user and password and also get a trap when logout has occurred but i don't understand why pam_sm_authenticate is called twice?
i have build my own pam_hook.so , compiled it with:

 gcc -fPIC -Wall -shared -lpam -o pam_hook.so pam_hook.c

i have implemnted this function's :

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv);
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv);
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t    *pamh,const int flags,int argc,const char **argv);
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv);
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv);
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv);

i have printed to file each enter to this function's. the order of the call to the function's on login of sshd user :

function :  pam_sm_authenticate 
function :  pam_sm_setcred 
function :  pam_sm_open_session  
function :  pam_sm_setcred 
function :  pam_sm_authenticate

and on sshd logout:

function :  pam_sm_close_session  
function :  pam_sm_setcred

i can't understand why pam_sm_authenticate it is called twice , my /etc/pamd.d/sshd:

# cat /etc/pam.d/sshd
 session     optional       /path_to/pam_hook.so
 auth        requisite       /path_to/pam_hook.so
Solution

  • Just faced this problem and it took me time to find a reason. In my case I use custom conversation in pam_sm_authenticate() to ask user for a second password. My module called twice, but at first time my conversation was not prompted to user, althought suceeded by return value. And response was empty, so my module failed authentication.

    Going through openssh code I found that if PasswordAuthentication set to yes, sshd will use "blind" method for your conversation. Your prompts will be ignored and the response will be the password provided by user before. My password was empty so my module got empty response.

    Hate this undocumented magic..