Well it turns out I'm actually an idiot, the pam_exec.so module is perfectly fine for creating PAM conditionals.
Tim Smith was correct in assessing that both tests in my /etc/security/deny-ssh-user.sh script were NEVER setting the variable SSH_SESSION to true. I didn't take that into consideration because the script works in a normal shell, but the envrionmentenvironment context is stripped when executed by pam_exec.so.
I ended up rewriting the script to use the last utility just like his example, however iI had to change some of it because the switches for last differ from Arch Linux to RedHat.
###Here is the revised script at /etc/security/deny-ssh-user.sh:
#!/bin/bash # Returns 1 if the user is logged in through SSH # Returns 0 if the user is not logged in through SSH SSH_SESSION=false function isSshSession { local terminal="${1}" if $(/usr/bin/last -i | /usr/bin/grep "${terminal}" | /usr/bin/grep 'still logged in' | /usr/bin/awk '{print $3}' | /usr/bin/grep -q --invert-match '0\.0\.0\.0'); then echo true else echo false fi } function stripTerminal { local terminal="${1}" # PAM_TTY is in the form /dev/pts/X # Last utility displays TTY in the form pts/x # Returns the first five characters stripped from TTY echo "${terminal:5}" } lastTerminal=$( stripTerminal "${PAM_TTY}") SSH_SESSION=$(isSshSession "${lastTerminal}") if "${SSH_SESSION}"; then exit 1 else exit 0 fi ###Contents of /etc/pam.d/sudo .... auth [success=ok default=1] pam_exec.so /etc/security/deny-ssh-user.sh auth sufficient pam_module_to_skip.so ....
