>If the keychain is unlocked in pam_sm_setcred(), but I want >to implement use_mapped_pass in a module (which, as Darwin >PAM modules all use the FreeBSD pam_get_pass() function to >retrieve authentication token information, is fairly >trivial)... then, the keychain won't be unlocked by the >time pam_sm_authenticate() is called in the modules which >want to grab their authentication tokens out of the >keychain. I think I can get around this by doing the following: 1. pam_sm_authenticate() unlocks the keychain, and registers the chain with pam_set_data(), the cleanup function for which will lock up the keychain. 2. pam_sm_setcred() sets a flag in the module specific data to prevent the cleanup function from locking the keychain again. It also unlocks the keychain which may be a NOOP if called immediately after pam_sm_authenticate(), or not if pam_sm_setcred(..., PAM_DELETE_CRED) has been called. 3. when pam_end() is called, the cleanup function gets called, and unless pam_sm_setcred() was called, the keychain will be locked up again. The consequence is that the keychain will remain unlocked for use by other PAM modules that support the use_mapped_pass option. -- Luke -- Luke Howard | Darwin Developer | PADL Software Pty Ltd www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com
