As discussed elsewhere, for Fedora Server we want to have pam_reauthorize.so late in the auth and session PAM stacks for sshd. https://github.com/stefwalter/cockpit/blob/reauthorize/doc/reauthorize.md Will post patch.
There's many ways to do this, but for now the simple approach seems to be best, just adding the relevant lines to /etc/pam.d/sshd: # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
Created attachment 914455 [details] Add pam_reauthorize.so to sshd.pam I've done some tests on this. In addition you can add a 'debug' flag to the PAM stack lines, and see further output in the logs.
http://koji.fedoraproject.org/koji/buildinfo?buildID=543745 http://koji.fedoraproject.org/koji/buildinfo?buildID=543746