I have developed a PAM module that creates the authorized_keys file from X.509 certificates obtained from LDAP. If specified there are cases where public keys from user a,b,...,n are synced into the authorized_keys file of user x. Right now I don't have any possibility to figure out which actual user has now logged in on behalf of user x. A solution to this problem is that OpenSSH makes the fingerprint of the key that has been (succesfully) used during public key authentication available within the PAM space (pam_set_data() / pam_putenv()). In this case one could hook in another PAM module e.g. for session management that obtains the fingerprint and work with it (e.g. mapping to user and making it available in user environment).
This is basically a subset of what is already implemented in the bug #2408 [1]. I would rather focus on merging one of the implementation than creating three different. It is the third time I hear about similar requests so I believe it would be a good thing to settle on some solution upstream. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2408
Configuration *** This bug has been marked as a duplicate of bug 2408 ***
closing resolved bugs as of 8.6p1 release