diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c --- a~/auth-pam.c 1970-01-01 00:00:00 +++ a/auth-pam.c 1970-01-01 00:00:00 @@ -1213,6 +1213,20 @@ do_pam_account(void) return (sshpam_account_status); } +#ifdef HAVE_PAM_AUSER +void +do_pam_set_auser(const char* auser) +{ + if (auser != NULL) { + debug("PAM: setting PAM_AUSER to \"%s\"", auser); + sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser); + if (sshpam_err != PAM_SUCCESS) + error("PAM: failed to set PAM_AUSER: %s", + pam_strerror(sshpam_handle, sshpam_err)); + } +} +#endif + void do_pam_setcred(void) { diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.h a/auth-pam.h --- a~/auth-pam.h 1970-01-01 00:00:00 +++ a/auth-pam.h 1970-01-01 00:00:00 @@ -44,4 +44,9 @@ int sshpam_get_maxtries_reached(void); void sshpam_set_maxtries_reached(int); int is_pam_session_open(void); +#ifdef HAVE_PAM_AUSER +void do_pam_set_auser(const char *); +#endif +void do_pam_set_tty(const char *); + #endif /* USE_PAM */ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth.h a/auth.h --- a~/auth.h 1970-01-01 00:00:00 +++ a/auth.h 1970-01-01 00:00:00 @@ -98,6 +98,9 @@ struct Authctxt { #ifdef PAM_ENHANCEMENT char *authmethod_name; #endif +#ifdef HAVE_PAM_AUSER + char *auser; +#endif }; /* diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2-hostbased.c a/auth2-hostbased.c --- a~/auth2-hostbased.c 1970-01-01 00:00:00 +++ a/auth2-hostbased.c 1970-01-01 00:00:00 @@ -81,6 +81,9 @@ userauth_hostbased(struct ssh *ssh, cons debug("signature:"); sshbuf_dump_data(sig, slen, stderr); #endif +#ifdef HAVE_PAM_AUSER + authctxt->auser = NULL; +#endif pktype = sshkey_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ @@ -152,6 +155,13 @@ userauth_hostbased(struct ssh *ssh, cons sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0) authenticated = 1; +#ifdef HAVE_PAM_AUSER + if (authenticated) { + authctxt->auser = cuser; + cuser = NULL; + } +#endif + auth2_record_key(authctxt, authenticated, key); sshbuf_free(b); done: diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c --- a~/monitor.c 1970-01-01 00:00:00 +++ a/monitor.c 1970-01-01 00:00:00 @@ -393,6 +393,12 @@ monitor_child_preauth(struct ssh *ssh, s } } +#if defined(HAVE_PAM_AUSER) && defined(USE_PAM) + if (hostbased_cuser != NULL) { + free(hostbased_cuser); + hostbased_cuser = NULL; + } +#endif if (!authctxt->valid) fatal_f("authenticated invalid user"); if (strcmp(auth_method, "unknown") == 0) @@ -597,14 +603,16 @@ monitor_reset_key_state(void) { /* reset state */ free(key_blob); +#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM) free(hostbased_cuser); + hostbased_cuser = NULL; +#endif free(hostbased_chost); sshauthopt_free(key_opts); key_blob = NULL; key_bloblen = 0; key_blobtype = MM_NOKEY; key_opts = NULL; - hostbased_cuser = NULL; hostbased_chost = NULL; } @@ -1096,6 +1104,11 @@ mm_answer_pam_account(struct ssh *ssh, i if (!options.use_pam) fatal("%s: PAM not enabled", __func__); +#ifdef HAVE_PAM_AUSER + if (hostbased_cuser != NULL) + do_pam_set_auser(hostbased_cuser); +#endif + ret = do_pam_account(); if ((r = sshbuf_put_u32(m, ret)) != 0 ||