Expose list of completed auth methods to PAM

bz#2408; ok dtucker@

1 files changed, 26 insertions, 0 deletions

diff --git a/auth-pam.c b/auth-pam.c
index 9574d9ac7..de29c04c9 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -926,6 +926,27 @@ finish_pam(void)
         sshpam_cleanup();
 }
 
+static void
+expose_authinfo(const char *caller)
+{
+        char *auth_info;
+
+        /*
+         * Expose authentication information to PAM.
+         * The enviornment variable is versioned. Please increment the
+         * version suffix if the format of session_info changes.
+         */
+        if (sshpam_authctxt->session_info == NULL)
+                auth_info = xstrdup("");
+        else if ((auth_info = sshbuf_dup_string(
+            sshpam_authctxt->session_info)) == NULL)
+                fatal("%s: sshbuf_dup_string failed", __func__);
+
+        debug2("%s: auth information in SSH_AUTH_INFO_0", caller);
+        do_pam_putenv("SSH_AUTH_INFO_0", auth_info);
+        free(auth_info);
+}
+
 u_int
 do_pam_account(void)
 {
@@ -933,6 +954,8 @@ do_pam_account(void)
         if (sshpam_account_status != -1)
                 return (sshpam_account_status);
 
+        expose_authinfo(__func__);
+
         sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
         debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
             pam_strerror(sshpam_handle, sshpam_err));
@@ -1057,6 +1080,9 @@ void
 do_pam_session(void)
 {
         debug3("PAM: opening session");
+
+        expose_authinfo(__func__);
+
         sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
             (const void *)&store_conv);
         if (sshpam_err != PAM_SUCCESS)