One of the crypted-homedir implementations (tcfs? one of the ones that spoke nfs over the loopback interface) used a pam module to snag the user's password too, to use as the decrypt key for the crypted filesystem. I mention this only to point out that there may be some code to be reused there, or even library-ized, or anything else to minimize wheel reinvention. =) jim
