My PAM module is user agnostic and knows about the authenticated user on success. It is not necessary or even appreciated to supply the username at login time and nss_ldap will take care of setting pwent on success. openssh however, does not honour the new username that is set using pam_set_item(PAM_USER, value) on success.
To be more precise: with "not supplying username" at login time, I mean supplying a placeholder username that triggers the PAM module to initiate external authentication configured as sufficient.
OpenSSH doesn't support PAM changing the username used for authentication. We don't have any intention to change this, sorry.
With all due respect, these are the first-page search results for 'openssh pam_set_item PAM_USER': https://www.redhat.com/archives/pam-list/2009-January/msg00002.html https://github.com/globus/gsi-openssh https://lists.mindrot.org/pipermail/openssh-unix-dev/2002-August/015217.html https://wiki.moonshot.ja.net/download/attachments/6881896/openssh-nulluser-6.7p1.patch?version=1&modificationDate=1487091061000&api=v2 https://unix.stackexchange.com/questions/362510/unable-to-smuggle-data-in-username-using-custom-pam-module-input-userauth-requ/362697#362697 https://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html Reconsidering your decisions is not a shame. And yes, I'm free to maintain a fork, I know ;)
closing resolved bugs as of 8.6p1 release