How are variables passed through the PAM authentication system

If application A calls a PAM service "myapp", and the PAM service "myapp" is c开发者_StackOverflow中文版onfigured to use the pam module pam_exec.so (auth required pam_exec.so myscript) to call an external shell script:

Q: How are the variables (in particular username/password) passed from:

Application A --> PAM Service "myapp" --> pam_exec.so --> myscript

The answer, so it appears, is that it depends on the module being used.

pam_exec.so writes a number of variables (as per the man page) to the environment of the shell script, excluding the password. If the password is wanted then you should include the argument expose_authtok and it will then be written to STDIN followed by and marker.