OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: setcred, keychains..
From: Luke Howard (lukehPADL.COM)
Date: Mon Oct 09 2000 - 21:26:59 CDT

>If the keychain is unlocked in pam_sm_setcred(), but I want
>to implement use_mapped_pass in a module (which, as Darwin
>PAM modules all use the FreeBSD pam_get_pass() function to
>retrieve authentication token information, is fairly
>trivial)... then, the keychain won't be unlocked by the
>time pam_sm_authenticate() is called in the modules which
>want to grab their authentication tokens out of the
>keychain.

I think I can get around this by doing the following:

1. pam_sm_authenticate() unlocks the keychain, and
   registers the chain with pam_set_data(), the
   cleanup function for which will lock up the
   keychain.

2. pam_sm_setcred() sets a flag in the module
   specific data to prevent the cleanup function
   from locking the keychain again. It also
   unlocks the keychain which may be a NOOP if
   called immediately after pam_sm_authenticate(),
   or not if pam_sm_setcred(..., PAM_DELETE_CRED)
   has been called.

3. when pam_end() is called, the cleanup function
   gets called, and unless pam_sm_setcred() was
   called, the keychain will be locked up again.

The consequence is that the keychain will remain unlocked
for use by other PAM modules that support the use_mapped_pass
option.

-- Luke 

--
Luke Howard | Darwin Developer | PADL Software Pty Ltd
www.padl.com | lukehdarwin.apple.com | lukehpadl.com

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list