Luke Howard wrote: > I think I can get around this by doing the following: > > 1. pam_sm_authenticate() unlocks the keychain, and > registers the chain with pam_set_data(), the > cleanup function for which will lock up the > keychain. > > 2. pam_sm_setcred() sets a flag in the module > specific data to prevent the cleanup function > from locking the keychain again. It also > unlocks the keychain which may be a NOOP if > called immediately after pam_sm_authenticate(), > or not if pam_sm_setcred(..., PAM_DELETE_CRED) > has been called. > > 3. when pam_end() is called, the cleanup function > gets called, and unless pam_sm_setcred() was > called, the keychain will be locked up again. > > The consequence is that the keychain will remain unlocked > for use by other PAM modules that support the use_mapped_pass > option. It sounds ok, although I'm not quite clear on where the chain is stored. The cleanup at the end looks fragile depending on where the chain is. Does the chain exist in shared memory or something? Or are you referring to other modules in the same stack? Thanks Andrew