Setting PAM_RUSER and PAM_RHOST earlier is fine but the point of setting PAM_USER post-authentication is that it was set to the name of the user commands are being run as, rather than the name of the user we are authenticating as. - todd