Feature: pam integration?

[Kellel]

Initial Comment

Present motd information on login similar to OpenSSH
https://www.ietf.org/rfc/rfc4252.txt Section 5.4

Proposal

Teleport is going to (optionally) use PAM to create user sessions. This will enable the full pipeline of PAM-driven session customization, which will give us access to all PAM plugins, including motd

[kontsevoy]

@Kellel OpenSSH is most distros is actually configured to integrate with pam and it's pam who's displaying motd-like prompt.

Frankly we feel this will only add unneeded complexity because Teleport performs authentication on a cluster-level, i.e. individual nodes can be as dumb as they come (for example people use Teleport to SSH into docker containers randomly flying around).

The utility of pam is somewhat questionable in a clustered environment, where user identity is stored elsewhere and user authentication happens before the SSH connection is even made (at SSH bastion/proxy), see teleport login command which doesn't require a host name: in Teleport world hosts are "dumb cattle". So it's a head scratcher. Do you mind me ask: why are you asking?

But if someone is willing to look into lightweight integration with pam, we're open to accept a decent PR. :-)

I'll mark it as "help wanted".

[eiginn]

One use case we have for using pam is assigning an "auid" that is process inherited via pam_loginuid.so and we capture this in auditd logs. Allows users to sudo to root while maintaining a trail.

[russjones]

Implemented in #1766.