On Tue, Dec 28, 2021, 16:39 beroal <m...@beroal.in.ua> wrote: > I was not aware of `PAMName`. After reading its documentation, it's still > not clear to me what it does and how it can be used. What's a PAM session? > Do you have any references? Google search wasn't very helpful. AFAIK from > the PAM documentation, session is not an entity, for example, it has no > identifier. Is it a session stored in logind? >
It's the abstract thing between pam_open_session() and pam_close_session(). Each module has its own definition of what a session really is – pam_systemd makes it an entity that exists within systemd-logind, pam_loginuid makes it an entity that exists within the kernel's audit subsystem, pam_unix just writes "user foo logged in" to the syslog. I guess you could call the entire child process tree (including reparented ones) the session. What PAMName= does is similar to your program: it initializes PAM with the provided name, skips pam_authenticate but calls pam_acct_mgmt and pam_open_session before starting the program. It's often used for auto-login services. > I would also like to know how systemd is supposed to handle authentication > programs that can start a process for any user, not the one in the systemd > unit file. I posted just a minimal example. It doesn't get involved in those. If your program starts as root and "logs in" arbitrary users (like sshd or getty/login or lightdm), then it doesn't use PAMName= but continues calling PAM directly, like it always has. >
