We've overlooked calling pam_setcred() from tl-session, which should be called just before pam_open_session() and just after pam_close_session().
The consequences of this is currently unknown. We need to have a look at what popular PAM modules use the credentials step for.
Did a grep in the linux pam tree and found these modules using the credential step:
- pam_env : Adds/removes arbitrary environment variables
- pam_filter : filters the login TTY (which we don't have, so no issue)
- pam_group : adds additional supplemental groups
- pam_mail : informs about new mail and sets $MAIL
- pam_nologin : does something weird, but it seems to be a no-op
- pam_tally : resets the login tally (not relevant as we don't increase it)
- pam_unix : was originally designed to call initgroups() but now does nothing of value
Fortunately most of these also do their work as part of the session step, meaning we haven't lost any functionality in practice. The exception is pam_group which has a hard requirement on the credentials step.
pam_krb5 also uses the credential step, but it also has a redundant handling in the session step.