Hi,
it has been revealed that sudo calls pam in a rather strange way. In particular, it calls pam_open_session in one process, and pam_close_session in another process, which can and does totally confuse modules that assume that pam calls are symmetric and/or modules that store data (pam_set_data).
The PAM Application Writer's manual leaves no word about whether programs must properly nest open_session with close_session, or whether modules must anticipate spurious calls to close_session without a preceding open_session. Some clarification would be welcome.
pam-developers@lists.fedorahosted.org