canonical · adombeck · Jan 13, 2026
diff --git a/pam/internal/adapter/authentication.go b/pam/internal/adapter/authentication.go
@@ -346,7 +346,13 @@ func (m authenticationModel) Update(msg tea.Msg) (authModel authenticationModel,
 
 		switch msg.access {
 		case auth.Granted:
-			return m, sendEvent(PamSuccess{BrokerID: m.currentBrokerID, msg: authMsg})
+			var secret string
+			if msg.secret != nil {
+				secret = *msg.secret
+			} else {
+				log.Warningf(context.Background(), "authentication granted, but no secret returned, cannot set PAM_AUTHTOK")
+			}
+			return m, sendEvent(PamSuccess{BrokerID: m.currentBrokerID, AuthTok: secret, msg: authMsg})
 
 		case auth.Retry:
 			m.errorMsg = authMsg

diff --git a/pam/internal/adapter/return.go b/pam/internal/adapter/return.go
@@ -20,6 +20,7 @@ type PamReturnError interface {
 // PamSuccess signals PAM module to return with provided pam.Success and Quit tea.Model.
 type PamSuccess struct {
 	BrokerID string
+	AuthTok  string
 	msg      string
 }
 

diff --git a/pam/pam.go b/pam/pam.go
@@ -333,6 +333,11 @@ func (h *pamModule) handleAuthRequest(mode authd.SessionMode, mTx pam.ModuleTran
 		if err := mTx.SetData(authenticationBrokerIDKey, exitStatus.BrokerID); err != nil {
 			return err
 		}
+		if exitStatus.AuthTok != "" {
+			if err := mTx.SetItem(pam.Authtok, exitStatus.AuthTok); err != nil {
+				return err
+			}
+		}
 		return nil
 
 	case adapter.PamReturnError: