[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

setcred, keychains..

I'm working on a PAM module to unlock keychains in Mac OS X.

Keychains are like the mapped passwords detailed in the
original PAM RFC -- a single password "unlocks" a chain
of other passwords. Note, however, that I'm not presently
concerned with integrating the mapped passwords themselves
into PAM, because that would require support from the
modules themselves.

At the moment:

pam_sm_authenticate()	checks that the user-supplied
			password will unlock the keychain,
			and if so, saves it with 

pam_sm_setcred(pamh, PAM_ESTABLISH_CRED)
			unlocks the keychain using the
			password saved by pam_sm_authenticate()

pam_sm_setcred(pamh, PAM_DELETE_CRED)
			locks the keychain

Does this sound right? I presume that pam_sm_authenticate()
shouldn't change the state of the keychain, and that
I shouldn't just retrieve the authentication token using
pam_get_item() in pam_sm_setcred() as I don't know which
password would have possibly unlocked the keychain.

-- Luke

Luke Howard | Darwin Developer | PADL Software Pty Ltd
www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []