I'm working on a PAM module to unlock keychains in Mac OS X. Keychains are like the mapped passwords detailed in the original PAM RFC -- a single password "unlocks" a chain of other passwords. Note, however, that I'm not presently concerned with integrating the mapped passwords themselves into PAM, because that would require support from the modules themselves. At the moment: pam_sm_authenticate() checks that the user-supplied password will unlock the keychain, and if so, saves it with pam_set_data() pam_sm_setcred(pamh, PAM_ESTABLISH_CRED) unlocks the keychain using the password saved by pam_sm_authenticate() pam_sm_setcred(pamh, PAM_DELETE_CRED) locks the keychain Does this sound right? I presume that pam_sm_authenticate() shouldn't change the state of the keychain, and that I shouldn't just retrieve the authentication token using pam_get_item() in pam_sm_setcred() as I don't know which password would have possibly unlocked the keychain. -- Luke -- Luke Howard | Darwin Developer | PADL Software Pty Ltd www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com
