[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: setcred, keychains..



>If the keychain is unlocked in pam_sm_setcred(), but I want 
>to implement use_mapped_pass in a module (which, as Darwin
>PAM modules all use the FreeBSD pam_get_pass() function to
>retrieve authentication token information, is fairly
>trivial)... then, the keychain won't be unlocked by the
>time pam_sm_authenticate() is called in the modules which
>want to grab their authentication tokens out of the
>keychain.

I think I can get around this by doing the following:

1. pam_sm_authenticate() unlocks the keychain, and
   registers the chain with pam_set_data(), the
   cleanup function for which will lock up the
   keychain.

2. pam_sm_setcred() sets a flag in the module
   specific data to prevent the cleanup function
   from locking the keychain again. It also 
   unlocks the keychain which may be a NOOP if
   called immediately after pam_sm_authenticate(),
   or not if pam_sm_setcred(..., PAM_DELETE_CRED)
   has been called.

3. when pam_end() is called, the cleanup function
   gets called, and unless pam_sm_setcred() was
   called, the keychain will be locked up again.

The consequence is that the keychain will remain unlocked
for use by other PAM modules that support the use_mapped_pass
option.

-- Luke

--
Luke Howard | Darwin Developer | PADL Software Pty Ltd
www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []