From 974b43d5cf05506a1a65b76b153ae42f817b7e9a Mon Sep 17 00:00:00 2001
From: "D.S." <dima@layupparts.com>
Date: Mon, 24 Nov 2025 18:26:45 -0800
Subject: [PATCH 1/2] Set AUTHD_AUTH_MODE PAM env when an authentication mode
 is selected.

Downstream PAM modules can read this variable to branch on the authentication method,
such as requiring a second factor when the user authenticates with a local password.

This makes it possible to address MFA-related requests (e.g. #1124) by allowing
administrators to configure their PAM stack to enforce 2FA based on the
selected auth mode.
---
 pam/internal/adapter/model.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pam/internal/adapter/model.go b/pam/internal/adapter/model.go
index 7a41a582c4..eb7f90cdc7 100644
--- a/pam/internal/adapter/model.go
+++ b/pam/internal/adapter/model.go
@@ -365,6 +365,8 @@ func (m uiModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 				msg:    "reselection of current auth mode without current ID",
 			})
 		}
+		// Export selected auth mode to the PAM environment.
+		m.pamMTx.PutEnv("AUTHD_AUTH_MODE=" + msg.ID)
 		return m, tea.Sequence(
 			m.updateClientModel(msg),
 			getLayout(m.client, m.currentSession.sessionID, msg.ID),

From 9eeadf378b4e20fb19c77eecd9f70f32f8bda28a Mon Sep 17 00:00:00 2001
From: "D.S." <dima@layupparts.com>
Date: Tue, 25 Nov 2025 14:10:19 -0800
Subject: [PATCH 2/2] Set AUTHD_AUTH_LAST_MODE on quit using
 m.authModeSelectionModel.currentAuthModeSelectedID value

---
 pam/internal/adapter/model.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pam/internal/adapter/model.go b/pam/internal/adapter/model.go
index eb7f90cdc7..003b0dc0ce 100644
--- a/pam/internal/adapter/model.go
+++ b/pam/internal/adapter/model.go
@@ -365,8 +365,6 @@ func (m uiModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 				msg:    "reselection of current auth mode without current ID",
 			})
 		}
-		// Export selected auth mode to the PAM environment.
-		m.pamMTx.PutEnv("AUTHD_AUTH_MODE=" + msg.ID)
 		return m, tea.Sequence(
 			m.updateClientModel(msg),
 			getLayout(m.client, m.currentSession.sessionID, msg.ID),
@@ -408,6 +406,8 @@ func (m uiModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 
 	cmds = append(cmds, m.updateClientModel(msg))
 
+	// Export last selected auth mode to the PAM environment.
+	m.pamMTx.PutEnv("AUTHD_AUTH_LAST_MODE=" + m.authModeSelectionModel.currentAuthModeSelectedID)
 	return m, tea.Batch(cmds...)
 }