Sooo... If the keychain is unlocked in pam_sm_setcred(), but I want to implement use_mapped_pass in a module (which, as Darwin PAM modules all use the FreeBSD pam_get_pass() function to retrieve authentication token information, is fairly trivial)... then, the keychain won't be unlocked by the time pam_sm_authenticate() is called in the modules which want to grab their authentication tokens out of the keychain. So maybe pam_keychain's pam_sm_authenticate() should do the unlocking, rather than pam_sm_setcred()? That certainly makes the implementation simpler, no need for module-specific data... hmm.. -- Luke -- Luke Howard | Darwin Developer | PADL Software Pty Ltd www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com
