Use pam_exec to run a script on an ssh login event

I want to use pam_exec to run a script on an ssh login event.

On a ubuntu base image, appending this pam configuration one liner to /etc/pam.d/sshd.pam works (after installing openssh):

session optional pam_exec.so seteuid stdout type=open_session /etc/pam-sshd-login-hook.sh

Then I found linuxserver.io openssh-server. Its a lightweight image and makes it easy to configure with public key and user name. Thank you for creating that!

If I run it, ssh with public key auth works:

$ docker run --rm -d --name ac1 -e PUBLIC_KEY -e USER_NAME=dough lscr.io/linuxserver/openssh-server:latest

Now I want to use pam_exec to run a script on an ssh login event.

Interactively, in the ac1 container, I enable PAM in /etc/ssh/sshd_config:

...
UsePAM yes
KbdInteractiveAuthentication no
...

and restart openssh server:

# s6-svc -r /run/service/openssh-server

But upon ssh from the host machine, the server appears to accept key authentication, but promptly closes the connection before starting a shell session:

$ ssh -vvv -i ~/.ssh/mykey -p 2222 dough@172.18.0.3

debug1: Server accepts key: /home/dough/.ssh/mykey RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko
debug3: send packet: type 50
Connection closed by 172.18.0.3 port 2222

On ac1, in /config/logs/openssh/current, it seems there’s a problem with pam account management: “Authentication service cannot retrieve authentication info”:

2022-09-22 02:16:41.821095711  debug1: /config/.ssh/authorized_keys:1: matching key found: RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFkoM
2022-09-22 02:16:41.821106309  debug1: /config/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwardingM
2022-09-22 02:16:41.821110668  Accepted key RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFko found at /config/.ssh/authorized_keys:1M
2022-09-22 02:16:41.821117354  debug1: restore_uid: (unprivileged)M
2022-09-22 02:16:41.821121394  debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowedM
2022-09-22 02:16:41.821133896  debug3: mm_request_send: entering, type 23M
2022-09-22 02:16:41.821202231  debug3: mm_sshkey_verify: entering [preauth]M
2022-09-22 02:16:41.821204241  debug3: mm_request_send: entering, type 24 [preauth]M
2022-09-22 02:16:41.821208932  debug3: mm_request_receive: enteringM
2022-09-22 02:16:41.821215539  debug3: monitor_read: checking request 24M
2022-09-22 02:16:41.821295607  debug3: mm_answer_keyverify: publickey RSA signature verifiedM
2022-09-22 02:16:41.821300496  debug1: auth_activate_options: setting new authentication optionsM
2022-09-22 02:16:41.821302447  debug3: mm_request_send: entering, type 25M
2022-09-22 02:16:41.821310562  debug3: mm_request_receive_expect: entering, type 102M
2022-09-22 02:16:41.821312128  debug3: mm_request_receive: enteringM
2022-09-22 02:16:41.826582283  debug1: do_pam_account: calledM
2022-09-22 02:16:41.826587001  debug2: do_pam_account: auth information in SSH_AUTH_INFO_0M
2022-09-22 02:16:41.831312509  debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service cannot retrieve authentication info)M
2022-09-22 02:16:41.831316748  debug3: mm_request_send: entering, type 103M
2022-09-22 02:16:41.831321867  Failed publickey for dough from 172.18.0.1 port 40700 ssh2: RSA SHA256:tUHJFPJXyGdhe2poOnpbgDz1t6mhvpmSiRprMIJdFkoM

I’ve tried creating a minimal /etc/pam.d/sshd.pam with:

account include base-account

but no joy. Whether this file exists or not, the behaviour is the same.

Need some help here…

I’m stuck with the pam configuration to run pam_exec.

But the goal is to to run a hook script on an ssh login event. How can we do that?