[systemd-devel] Crond session, pam_access and pam_systemd
Thomas HUMMEL
thomas.hummel at pasteur.fr
Fri Oct 16 10:41:09 UTC 2020
Hello,
if I try to sum up all of your answers, I come to the following
understanding :
- sessions are always created via the pam_systemd module
- which is, in my case called (sshd, crond) via the password-auth stack
include
- so crond, through pam_systemd will cause a session to be created
- such session is created via the sd-pam helper responsible for
pam_open_session() and pam_close_session() calls
- such a worker is started by a systemd --user instance
- so a user crontab will ultimately cause the use of the already running
systemd --user instance of the user (because his logged in or is
lingered) OR the creation of a systemd --user instance for the purpose
of the crond session creation
What I still don't quite get is :
- is it sd-pam or systemd --user or user@<uid>.service holding them
which uses the systemd-user pam service name ?
- my understanding was that pam service name is passed to pam_start() :
in the user crontab case, my guess is that crond does this call with the
crond service name (so pam knows what module stacks to run).
So this would mean something like the user@<uid>.service (or sd-pam)
would itself call pam_start(systemd-user, ...) when called by pam_systemd ?
So basically pam_systemd module would trigger another service which
itself would go through pam with the systemd-user service name ?
- again, why is a first ssh login session able to create the user
session without the user having to be listed for systemd-user in
access.conf whereas crond semmes to need it (givent no systemd --user
was previously running in both cases) ?
Thanks for your help
--
Thomas HUMMEL
More information about the systemd-devel
mailing list